Bugzilla – Bug 868944
VUL-0: CVE-2014-2525: libyaml: heap overflow during parsing
Last modified: 2016-04-17 15:08:22 UTC
via distros / OCERT, CRD March 26th Hello, I'd like to inform you about a LibYAML vulnerability that has been reported to oCERT and that is set for disclosure (with our own advisory) on the 26th of March around 18:00 GMT. The vulnerability is a heap overflow and was confirmed on LibYAML 0.1.5 (latest version). The vulnerability is caused by not properly expanding a string before writing to it in function yaml_parser_scan_uri_escapes in scanner.c on the following line: *(string->pointer++) = octet; and can be triggered by parsing a .yaml file with a long sequence of percent-encoded charaters in a url. Attached to this message is a PoC .yaml file that demonstrates the vulnerability. I am also attaching the patch provided by LibYAML author which has been verified by the reporter. The issue has been discovered and reported by Ivan Fratric <ifratric@google.com> of the Google Security Team. I should get a CVE assigned soon, I'll let you know when I get it. Cheers -- Andrea Barisani | Founder & Project Coordinator oCERT | OSS Computer Security Incident Response Team <lcars@ocert.org> http://www.ocert.org 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate"
Created attachment 582627 [details] heap-overflow.patch patch attached to report
bugbot adjusting priority
I am testing it this way: install ruby1.9 run irb1.9 require "yaml" YAML.load_file "heap-overflow.yaml" with the previous version, you should get a segmentation fault. with the patched version, just a parsing error, but no segmentation fault.
This is an autogenerated message for OBS integration: This bug (868944) was mentioned in https://build.opensuse.org/request/show/226763 12.3 / libyaml
The SWAMPID for this issue is 56726. This issue was rated as moderate. Please submit fixed packages until 2014-04-03. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
public now From: Andrea Barisani <lcars@ocert.org> Subject: [oss-security] [oCERT-2014-003] LibYAML input sanitization errors Date: Thu, 27 Mar 2014 00:07:31 +0100 #2014-003 LibYAML input sanitization errors Description: The LibYAML project is an open source YAML 1.1 parser and emitter written in C. The library is affected by a heap-based buffer overflow which can lead to arbitrary code execution. The vulnerability is caused by lack of proper expansion for the string passed to the yaml_parser_scan_uri_escapes() function. A specially crafted YAML file, with a long sequence of percent-encoded characters in a URL, can be used to trigger the overflow. Affected version: LibYAML <= 0.1.5 Fixed version: LibYAML >= 0.1.6 Credit: vulnerability report received from Ivan Fratric of the Google Security Team. CVE: CVE-2014-2525 Timeline: 2014-03-11: vulnerability report received 2014-03-14: maintainer provides patch for review 2014-03-17: reporter confirms patch 2014-03-17: disclosure coordinated on 2014-03-26 2014-03-18: contacted affected vendors 2014-03-18: assigned CVE 2014-03-26: LibYAML 0.1.6 released 2014-03-26: advisory release References: http://pyyaml.org/wiki/LibYAML https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048 Permalink: http://www.ocert.org/advisories/ocert-2014-003.html -- Andrea Barisani | Founder & Project Coordinator oCERT | OSS Computer Security Incident Response Team <lcars@ocert.org> http://www.ocert.org 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate"
Jordi, can you also submit openSUSE fixes? and SLE12 GA has 0.1.4 still, could still be upgraded to 0.1.6.
Update released for: libyaml, libyaml-0-2 Products: SUSE-CLOUD 3.0 (x86_64)
Update released for: libyaml, libyaml-0-2, libyaml-debuginfo, libyaml-debugsource, libyaml-devel Products: SLE-STUDIOONSITE 1.3 (x86_64) SUSE-MANAGER 1.7 (x86_64)
This is an autogenerated message for OBS integration: This bug (868944) was mentioned in https://build.opensuse.org/request/show/227722 12.3 / libyaml https://build.opensuse.org/request/show/227723 13.1 / libyaml
SUSE-SU-2014:0456-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 860617,868944 CVE References: CVE-2013-6393,CVE-2014-2525 Sources used: SUSE Studio Onsite 1.3 (src): libyaml-0.1.3-0.10.12.1 SUSE Manager 1.7 for SLE 11 SP2 (src): libyaml-0.1.3-0.10.12.1 SUSE Cloud 3 (src): libyaml-0.1.3-0.10.12.1
update for openSUSE and SLE12 GA has been submited
This is an autogenerated message for OBS integration: This bug (868944) was mentioned in https://build.opensuse.org/request/show/228178 Factory / libyaml
openSUSE-SU-2014:0500-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 868944 CVE References: CVE-2014-2525 Sources used: openSUSE 13.1 (src): libyaml-0.1.4-2.12.1 openSUSE 12.3 (src): libyaml-0.1.3-11.12.1
This is an autogenerated message for OBS integration: This bug (868944) was mentioned in https://build.opensuse.org/request/show/285086 13.2+13.1 / perl-YAML-LibYAML
openSUSE-SU-2015:0319-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 751503,860617,868944,907809,911782 CVE References: CVE-2012-1152,CVE-2013-6393,CVE-2014-2525,CVE-2014-9130 Sources used: openSUSE 13.2 (src): perl-YAML-LibYAML-0.59-2.4.1 openSUSE 13.1 (src): perl-YAML-LibYAML-0.59-6.4.1
SUSE-SU-2015:0953-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 860617,868944,907809,911782 CVE References: CVE-2013-6393,CVE-2014-2525,CVE-2014-9130 Sources used: SUSE Linux Enterprise Server 12 (src): perl-YAML-LibYAML-0.38-10.1
SUSE-SU-2015:0953-2: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 860617,868944,907809,911782 CVE References: CVE-2013-6393,CVE-2014-2525,CVE-2014-9130 Sources used: SUSE Linux Enterprise Server 12 (src): perl-YAML-LibYAML-0.38-10.1 SUSE Linux Enterprise Desktop 12 (src): perl-YAML-LibYAML-0.38-10.1
openSUSE-SU-2016:1067-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 860617,868944,907809,911782 CVE References: CVE-2013-6393,CVE-2014-2525,CVE-2014-9130 Sources used: openSUSE Leap 42.1 (src): perl-YAML-LibYAML-0.38-4.1