Bug 1686723 (CVE-2018-20710)

Summary: CVE-2018-20710 yaml-cpp: remote dos via crafted YAML file in function SingleDocParser::HandleFlowSequence
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: anthomas, apevec, bbuckingham, bcourt, bkearney, dbecker, eglynn, ehelms, ggainey, guido.grazioli, hhorak, hobbes1069, jjoyce, jorton, jschluet, juwatts, kbasil, lhh, lpeer, lsvaty, mburns, mgarciac, mhulan, mmccune, mrike, nmoumoul, ohadlevy, osousa, pcreech, pgrist, rchan, rhos-maint, rjerrido, sclewis, sgayou, slinaber, smallamp, thofmann, tjay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-08 19:22:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1686725, 1686726    
Bug Blocks: 1686724    

Description Dhananjay Arunesh 2019-03-08 06:56:27 UTC 
The SingleDocParser::HandleFlowSequence function in yaml-cpp (aka LibYaml-C++) 0.6.2 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted YAML file.

Reference:
https://github.com/jbeder/yaml-cpp/issues/660
Comment 1 Dhananjay Arunesh 2019-03-08 07:00:04 UTC 
Created yaml-cpp tracking bugs for this issue:

Affects: epel-all [bug 1686725]
Comment 2 Dhananjay Arunesh 2019-03-08 07:00:35 UTC 
Created yaml-cpp tracking bugs for this issue:

Affects: fedora-all [bug 1686726]
Comment 3 Scott Gayou 2019-03-08 17:27:17 UTC 
Looks like a dupe, here's a crash with a symbolized backtrace:

```
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b4bb7a in _int_malloc () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff7b4bb7a in _int_malloc () from /lib64/libc.so.6
#1  0x00007ffff7b4db07 in malloc () from /lib64/libc.so.6
#2  0x00007ffff7ec3b9c in operator new (sz=48) at ../../../../libstdc++-v3/libsupc++/new_op.cc:50
#3  0x000000000043fd71 in __gnu_cxx::new_allocator<std::_Rb_tree_node<std::shared_ptr<YAML::detail::node> > >::allocate(unsigned long, void const*) ()
#4  0x000000000043fce1 in std::allocator_traits<std::allocator<std::_Rb_tree_node<std::shared_ptr<YAML::detail::node> > > >::allocate(std::allocator<std::_Rb_tree_node<std::shared_ptr<YAML::detail::node> > >&, unsigned long) ()
#5  0x000000000043fbe3 in std::_Rb_tree<std::shared_ptr<YAML::detail::node>, std::shared_ptr<YAML::detail::node>, std::_Identity<std::shared_ptr<YAML::detail::node> >, std::less<std::shared_ptr<YAML::detail::node> >, std::allocator<std::shared_ptr<YAML::detail::node> > >::_M_get_node() ()
#6  0x000000000043fa68 in std::_Rb_tree_node<std::shared_ptr<YAML::detail::node> >* std::_Rb_tree<std::shared_ptr<YAML::detail::node>, std::shared_ptr<YAML::detail::node>, std::_Identity<std::shared_ptr<YAML::detail::node> >, std::less<std::shared_ptr<YAML::detail::node> >, std::allocator<std::shared_ptr<YAML::detail::node> > >::_M_create_node<std::shared_ptr<YAML::detail::node> const&>(std::shared_ptr<YAML::detail::node> const&) ()
#7  0x000000000043f471 in std::_Rb_tree_node<std::shared_ptr<YAML::detail::node> >* std::_Rb_tree<std::shared_ptr<YAML::detail::node>, std::shared_ptr<YAML::detail::node>, std::_Identity<std::shared_ptr<YAML::detail::node> >, std::less<std::shared_ptr<YAML::detail::node> >, std::allocator<std::shared_ptr<YAML::detail::node> > >::_Alloc_node::operator()<std::shared_ptr<YAML::detail::node> const&>(std::shared_ptr<YAML::detail::node> const&) const ()
#8  0x000000000043ee89 in std::_Rb_tree_iterator<std::shared_ptr<YAML::detail::node> > std::_Rb_tree<std::shared_ptr<YAML::detail::node>, std::shared_ptr<YAML::detail::node>, std::_Identity<std::shared_ptr<YAML::detail::node> >, std::less<std::shared_ptr<YAML::detail::node> >, std::allocator<std::shared_ptr<YAML::detail::node> > >::_M_insert_<std::shared_ptr<YAML::detail::node> const&, std::_Rb_tree<std::shared_ptr<YAML::detail::node>, std::shared_ptr<YAML::detail::node>, std::_Identity<std::shared_ptr<YAML::detail::node> >, std::less<std::shared_ptr<YAML::detail::node> >, std::allocator<std::shared_ptr<YAML::detail::node> > >::_Alloc_node>(std::_Rb_tree_node_base*, std::_Rb_tree_node_base*, std::shared_ptr<YAML::detail::node> const&, std::_Rb_tree<std::shared_ptr<YAML::detail::node>, std::shared_ptr<YAML::detail::node>, std::_Identity<std::shared_ptr<YAML::detail::node> >, std::less<std::shared_ptr<YAML::detail::node> >, std::allocator<std::shared_ptr<YAML::detail::node> > >::_Alloc_node&) ()
#9  0x000000000043e980 in std::pair<std::_Rb_tree_iterator<std::shared_ptr<YAML::detail::node> >, bool> std::_Rb_tree<std::shared_ptr<YAML::detail::node>, std::shared_ptr<YAML::detail::node>, std::_Identity<std::shared_ptr<YAML::detail::node> >, std::less<std::shared_ptr<YAML::detail::node> >, std::allocator<std::shared_ptr<YAML::detail::node> > >::_M_insert_unique<std::shared_ptr<YAML::detail::node> const&>(std::shared_ptr<YAML::detail::node> const&) ()
#10 0x000000000043e733 in std::set<std::shared_ptr<YAML::detail::node>, std::less<std::shared_ptr<YAML::detail::node> >, std::allocator<std::shared_ptr<YAML::detail::node> > >::insert(std::shared_ptr<YAML::detail::node> const&) ()
#11 0x000000000043e2a8 in YAML::detail::memory::create_node() ()
#12 0x0000000000435cbe in YAML::detail::memory_holder::create_node() ()
#13 0x000000000043911a in YAML::NodeBuilder::Push(YAML::Mark const&, unsigned long) ()
#14 0x0000000000438fbb in YAML::NodeBuilder::OnSequenceStart(YAML::Mark const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long, YAML::EmitterStyle::value) ()
#15 0x000000000042b987 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
#16 0x000000000042cd3e in YAML::SingleDocParser::HandleCompactMap(YAML::EventHandler&) ()
#17 0x000000000042c482 in YAML::SingleDocParser::HandleMap(YAML::EventHandler&) ()
#18 0x000000000042bb99 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
#19 0x000000000042c1fd in YAML::SingleDocParser::HandleFlowSequence(YAML::EventHandler&) ()
#20 0x000000000042bd5e in YAML::SingleDocParser::HandleSequence(YAML::EventHandler&) ()
#21 0x000000000042b9a0 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
#22 0x000000000042cd3e in YAML::SingleDocParser::HandleCompactMap(YAML::EventHandler&) ()
#23 0x000000000042c482 in YAML::SingleDocParser::HandleMap(YAML::EventHandler&) ()
#24 0x000000000042bb99 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
```
Comment 4 Scott Gayou 2019-03-08 19:22:02 UTC 

*** This bug has been marked as a duplicate of bug 1668104 ***
Comment 5 Doran Moppert 2020-02-10 04:36:27 UTC 
Statement:

This flaw was found to be a duplicate of CVE-2019-6285. Please see https://access.redhat.com/security/cve/CVE-2019-6285 for information about affected products and security errata.