Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2014-2525 libyaml: heap-based buffer overflow when parsing URLs|
|Product:||[Other] Security Response||Reporter:||Murray McAllister <mmcallis>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||NEW ---||QA Contact:|
|Version:||unspecified||CC:||abaron, apevec, athomas, ayoung, bdunne, bgollahe, bhu, bkearney, bleanhar, ccoleman, chrisw, cpelland, cperry, dajohnso, dmcphers, drieden, esammons, gkotton, gmollett, iboverma, jeckersb, jfrey, jialiu, jkurik, jmatthew, jplesnik, jrafanie, jross, katello-bugs, kseifried, lars, lhh, lmeyer, markmc, matt, mcressma, mmaslano, mmccune, mmcgrath, mrg-program-list, obarenbo, paul, perl-devel, rbryant, rhos-maint, sclewis, security-response-team, srevivo, tdawson, tremble, tsanders, williams, xlecauch|
|Fixed In Version:||libyaml 0.1.6||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||1079283, 1079299, 1079306, 1079307, 1079308, 1079404, 1081281, 1081382, 1081383, 1081856, 1083710, 1083711, 1159403, 1159404, 1160976, 1161460, 1165358|
Description Murray McAllister 2014-03-19 03:00:22 EDT
A heap-based buffer overflow flaw was found in the way libyaml parsed URLs. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. Acknowledgements: Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges Ivan Fratric of the Google Security Team as the original reporter.
Comment 2 Murray McAllister 2014-03-19 03:09:31 EDT
Created attachment 876237 [details] patch from upstream
Comment 4 Tomas Hoger 2014-03-20 05:55:16 EDT
libyaml is shipped as part of Red Hat Software Collections 1 via ruby193-libyaml package. This package is used by ruby193-ruby. Impact for this use case is limited, as ruby YAML module is unsafe for use on untrusted yaml input: http://ruby-doc.org/stdlib-1.9.3/libdoc/yaml/rdoc/YAML.html#module-YAML-label-Security Alternative SafeYAML modules which provide safe ways to load yaml input files in ruby is not provided as part of Red Hat Software Collections 1. https://github.com/dtao/safe_yaml
Comment 18 Murray McAllister 2014-03-26 20:33:16 EDT
This issue is public now: http://www.ocert.org/advisories/ocert-2014-003.html
Comment 19 Murray McAllister 2014-03-26 20:36:11 EDT
Created libyaml tracking bugs for this issue: Affects: fedora-all [bug 1081281]
Comment 20 Murray McAllister 2014-03-27 03:01:08 EDT
Debian released http://www.debian.org/security/2014/dsa-2885 to fix this issue in their libyaml-libyaml-perl package. perl-YAML-LibYAML for Fedora and EPEL look to embed libyaml too, and it seems to get built (http://kojipkgs.fedoraproject.org//packages/perl-YAML-LibYAML/0.41/3.fc20/data/logs/x86_64/build.log), but I have not checked if it actually uses the embedded copy or not. I am going to file tracking bugs regardless.
Comment 21 Murray McAllister 2014-03-27 03:09:35 EDT
Created perl-YAML-LibYAML tracking bugs for this issue: Affects: fedora-all [bug 1081382] Affects: epel-6 [bug 1081383]
Comment 22 John Eckersberg 2014-03-27 10:39:42 EDT
Can you please create a tracking bug for epel-all as well?
Comment 23 Murray McAllister 2014-03-28 01:45:36 EDT
Created libyaml tracking bugs for this issue: Affects: epel-all [bug 1081856]
Comment 24 Murray McAllister 2014-03-28 01:46:03 EDT
(In reply to John Eckersberg from comment #22) > Can you please create a tracking bug for epel-all as well? Done. Sorry about that!
Comment 27 errata-xmlrpc 2014-04-02 15:51:28 EDT
This issue has been addressed in following products: Red Hat Software Collections for RHEL-6 Via RHSA-2014:0355 https://rhn.redhat.com/errata/RHSA-2014-0355.html
Comment 28 errata-xmlrpc 2014-04-02 15:52:25 EDT
This issue has been addressed in following products: OpenStack 4 for RHEL 6 Via RHSA-2014:0354 https://rhn.redhat.com/errata/RHSA-2014-0354.html
Comment 29 errata-xmlrpc 2014-04-02 15:53:32 EDT
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2014:0353 https://rhn.redhat.com/errata/RHSA-2014-0353.html
Comment 30 errata-xmlrpc 2014-04-03 16:23:44 EDT
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2014:0364 https://rhn.redhat.com/errata/RHSA-2014-0364.html
Comment 31 Fedora Update System 2014-04-05 00:52:02 EDT
libyaml-0.1.6-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Comment 32 Fedora Update System 2014-04-05 00:56:58 EDT
libyaml-0.1.6-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Comment 33 Fedora Update System 2014-04-06 23:23:58 EDT
perl-YAML-LibYAML-0.41-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Comment 34 Fedora Update System 2014-04-06 23:25:24 EDT
perl-YAML-LibYAML-0.41-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Comment 35 Fedora Update System 2014-04-11 16:49:10 EDT
perl-YAML-LibYAML-0.38-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 36 Fedora Update System 2014-04-15 19:29:03 EDT
libyaml-0.1.6-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 37 Fedora Update System 2014-04-15 19:31:18 EDT
libyaml-0.1.2-7.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.