Bug 1033990 (CVE-2013-6393)

Summary: CVE-2013-6393 libyaml: heap-based buffer overflow when parsing YAML tags
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, bdunne, bgollahe, bhu, bkearney, bleanhar, carnil, ccoleman, chrisw, cpelland, cperry, dajohnso, ddm, dmcphers, drieden, esammons, fweimer, gkotton, gmollett, iboverma, iheim, jdetiber, jeckersb, jfrey, jialiu, jkurik, jmatthew, jomara, jplesnik, jrafanie, jross, jrusnack, katello-bugs, kseifried, lhh, lmeyer, markmc, matt, mcressma, mmaslano, mmccune, mmcgrath, mmraka, mrg-program-list, nobody+bgollahe, obarenbo, ohadlevy, paul, perl-devel, pfrields, postmodern.mod3, rbryant, rhos-maint, sclewis, security-response-team, taw, tdawson, tremble, tsanders, vdanen, vondruch, williams, xlecauch, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libyaml 0.1.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-06 09:43:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1059008, 1059009, 1059010, 1059113, 1059115, 1059116, 1059117, 1059347, 1079283, 1079299, 1079306, 1079307, 1079308, 1081385, 1081386, 1083710, 1083711    
Bug Blocks: 1033661, 1033991, 1051378    
Attachments:
Description Flags
String overflow patch
none
libyaml-node-id-hardening.patch
none
libyaml-indent-column-overflow-v2.patch none

Description Murray McAllister 2013-11-25 01:11:44 UTC
A heap-based buffer overflow flaw was found in the way libyaml parsed YAML tags. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.

Acknowledgements:

This issue was discovered by Florian Weimer of the Red Hat Product Security Team.

Comment 9 Garth Mollett 2014-01-09 23:04:20 UTC
Created attachment 847926 [details]
String overflow patch

This is a proposed patch from Florian Weimer <fweimer> for the string
overflow issue. It has been ack'd by upstream.

Comment 10 Garth Mollett 2014-01-09 23:13:18 UTC
Created attachment 847934 [details]
libyaml-node-id-hardening.patch

This is a hardening patch also from Florian Weimer <fweimer>.
It is not required to fix this CVE however it improves the robustness of the code
against future issues by avoiding large node ID's in a central place.

Comment 15 John Eckersberg 2014-01-28 01:07:33 UTC
Created attachment 856317 [details]
libyaml-indent-column-overflow-v2.patch

This expands upon the original indent column overflow patch from comment #12.

The default parser indention is represented as an indention of -1.  The original patch only modified the type of the column parameter to the roll/unroll functions, changing it from int to size_t to guard against integer overflow.  However, there are code paths that call yaml_parser_unroll_indent with a column of -1 in order to reset the parser back to the initial indention.  Since the column is now of type size_t and thus unsigned, passing a column value of -1 caused the column to underflow in this case.

This new patch modifies the roll/unroll functions to handle the -1 indent as a special case.  In addition, it adds a new function, yaml_parser_reset_indent.  It is nearly an exact copy of yaml_parser_unroll_indent, except it does not take a column parameter.  Instead it unrolls to a literal -1 indention, which does not suffer from the underflow.

Code paths that previously called yaml_parser_unroll_indent with a column of -1 are updated to call the new yaml_parser_reset_indent function instead.

With this patch instead of the original:

- `make check` still passes

- The reproducer script completes successfully with exit code 0

- The issue raised by John Haxby has been corrected and exits with SUCCESS

Comment 17 Murray McAllister 2014-01-29 00:45:16 UTC
Created libyaml tracking bugs for this issue:

Affects: fedora-all [bug 1059009]
Affects: epel-all [bug 1059010]

Comment 20 Garth Mollett 2014-01-29 08:57:16 UTC
Statement:

The Red Hat security response team has rated this issue as having low security impact in Red Hat Enterpise MRG 1 and 2, CloudForms 3, and Red Hat Network Satellite 5. This issue is not currently planned to be addressed in future updates.

The Red Hat security response team has rated this issue as having low security impact in Red Hat Update Infrastructure. A future update may address this issue. 

The Red Hat security response team has rated this issue as having moderate security impact in Subscription Asset Manager 1. A future update may address this issue.

For additional information, refer to the Issue Severity Classification:
https://access.redhat.com/security/updates/classification/

Comment 21 postmodern 2014-02-04 07:03:21 UTC
libyaml 0.1.5 has now been released (https://bitbucket.org/xi/libyaml/get/0.1.5.tar.gz) which now includes the patches (https://bitbucket.org/xi/libyaml/commits/all).

Comment 24 Fedora Update System 2014-02-08 05:00:09 UTC
libyaml-0.1.4-6.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2014-02-08 05:01:36 UTC
libyaml-0.1.4-6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 30 Vincent Danen 2014-02-11 18:29:43 UTC
The upstream patch used previously caused some regressions in functionality.  These were reported individually:

* bug 1063866 Patch for CVE-2013-6393 introduces regression (Fedora)
* bug 1063867 Patch for CVE-2013-6393 introduces regression (EPEL6)

Which notes that upstream has addressed it slightly differently with the two following commits:


https://bitbucket.org/xi/libyaml/commits/f859ed1eb757a3562b98a28a8ce69274bfd4b3f2
https://bitbucket.org/xi/libyaml/commits/af3599437a87162554787c52d8b16eab553f537b

I don't believe this would require a new CVE for the regression, although it might if the regression results in libyaml still being vulnerable to this flaw (I'm not sure, can someone confirm?).

Comment 31 John Eckersberg 2014-02-11 19:30:20 UTC
(In reply to Vincent Danen from comment #30)
> The upstream patch used previously caused some regressions in functionality.
> These were reported individually:
> 
> * bug 1063866 Patch for CVE-2013-6393 introduces regression (Fedora)
> * bug 1063867 Patch for CVE-2013-6393 introduces regression (EPEL6)
> 
> Which notes that upstream has addressed it slightly differently with the two
> following commits:
> 
> 
> https://bitbucket.org/xi/libyaml/commits/
> f859ed1eb757a3562b98a28a8ce69274bfd4b3f2
> https://bitbucket.org/xi/libyaml/commits/
> af3599437a87162554787c52d8b16eab553f537b
> 
> I don't believe this would require a new CVE for the regression, although it
> might if the regression results in libyaml still being vulnerable to this
> flaw (I'm not sure, can someone confirm?).

The regressed version is not vulnerable to the flaw, it just fails to parse a subset of valid yaml documents that none of the tests caught.

Comment 32 Vincent Danen 2014-02-13 23:16:40 UTC
Perfect, thank you for that confirmation John.

Comment 33 Fedora Update System 2014-03-03 20:00:23 UTC
libyaml-0.1.2-6.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 34 Fedora Update System 2014-03-03 20:04:11 UTC
libyaml-0.1.5-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 40 Murray McAllister 2014-03-27 07:11:04 UTC
as per https://bugzilla.redhat.com/show_bug.cgi?id=1078083#c20 it looks like perl-YAML-LibYAML has an embedded copy of libyaml and may be affected. I will file tracking bugs.

Comment 41 Murray McAllister 2014-03-27 07:18:48 UTC
Created perl-YAML-LibYAML tracking bugs for this issue:

Affects: fedora-all [bug 1081385]
Affects: epel-6 [bug 1081386]

Comment 43 errata-xmlrpc 2014-04-02 19:51:19 UTC
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2014:0355 https://rhn.redhat.com/errata/RHSA-2014-0355.html

Comment 44 errata-xmlrpc 2014-04-02 19:52:17 UTC
This issue has been addressed in following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:0354 https://rhn.redhat.com/errata/RHSA-2014-0354.html

Comment 45 errata-xmlrpc 2014-04-02 19:53:22 UTC
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2014:0353 https://rhn.redhat.com/errata/RHSA-2014-0353.html

Comment 46 errata-xmlrpc 2014-04-03 20:23:33 UTC
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2014:0364 https://rhn.redhat.com/errata/RHSA-2014-0364.html

Comment 47 Fedora Update System 2014-04-07 03:24:07 UTC
perl-YAML-LibYAML-0.41-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 48 Fedora Update System 2014-04-07 03:25:33 UTC
perl-YAML-LibYAML-0.41-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 49 Fedora Update System 2014-04-11 20:49:23 UTC
perl-YAML-LibYAML-0.38-4.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 50 errata-xmlrpc 2014-04-17 12:04:06 UTC
This issue has been addressed in following products:

  Red Hat Common for RHEL 6

Via RHSA-2014:0415 https://rhn.redhat.com/errata/RHSA-2014-0415.html

Comment 51 Kurt Seifried 2014-08-08 19:26:33 UTC
Red Hat Update Infrastructure 2.1.3 is now in Production 2 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Update Infrastructure Life Cycle: https://access.redhat.com/support/policy/updates/rhui.