Bug 2272889 (CVE-2024-3205)

Summary: CVE-2024-3205 libyaml: Heap-Based Buffer Overflow
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: CLOSED NOTABUG QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: aarif, agarcial, ahrabovs, aoconnor, aprice, asegurap, aucunnin, bdettelb, caswilli, crizzo, cstratak, dfreiber, dhalasz, dkuc, dnakabaa, doconnor, drow, fjansen, hkataria, jburrell, jdobes, jmitchel, jsamir, jsherril, jtanner, jvasik, kaycoth, kholdawa, kshier, lbalhar, lcouzens, luizcosta, mpierce, mskarbek, mstoklus, nweather, oezr, orabin, psegedy, rblanco, sidakwo, stcannon, sthirugn, teagle, vkrizan, vkumar, vmugicag, xiaoxwan, yguenane, zzhou
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
[REJECTED CVE] A vulnerability was found in yaml libyaml up to 0.2.5 and classified as critical. Affected by this issue is the function yaml_emitter_emit_flow_sequence_item of the file /src/libyaml/src/emitter.c. The manipulation leads to heap-based buffer overflow. The attack may be launched remotely.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2024-06-03 06:01:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2272890, 2272891, 2272892, 2272893    
Bug Blocks: 2272894    

Description Avinash Hanwate 2024-04-03 05:08:12 UTC 
A vulnerability was found in yaml libyaml up to 0.2.5 and classified as critical. Affected by this issue is the function yaml_emitter_emit_flow_sequence_item of the file /src/libyaml/src/emitter.c. The manipulation leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259052. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

https://drive.google.com/drive/folders/1lwNEs8wqwkUV52f3uQNYMPrxRuXPtGQs?usp=sharing
https://vuldb.com/?ctiid.259052
https://vuldb.com/?id.259052
https://vuldb.com/?submit.304561
Comment 1 Avinash Hanwate 2024-04-03 05:09:53 UTC 
Created R-yaml tracking bugs for this issue:

Affects: fedora-all [bug 2272891]


Created ghc-yaml tracking bugs for this issue:

Affects: epel-all [bug 2272890]


Created libyaml tracking bugs for this issue:

Affects: fedora-all [bug 2272892]


Created python-ruamel-yaml-clib tracking bugs for this issue:

Affects: fedora-all [bug 2272893]
Comment 4 Lumír Balhar 2024-04-17 07:08:17 UTC 
It seems that it's not actually a vulnerability in libyaml but a bug or misuse of libyaml in the fuzzer. They will probably try to reject the CVE.

Analysis: https://github.com/yaml/libyaml/issues/258#issuecomment-2058613931
Issues for oss-fuzz: https://github.com/google/oss-fuzz/issues/11811 https://github.com/google/oss-fuzz/issues/11786
Comment 5 Charalampos Stratakis 2024-05-16 15:46:47 UTC 
Also upstream has rejected this CVE: https://github.com/yaml/libyaml/issues/258#issuecomment-2063497383

Avinash what's the next steps? Can we remove the trackers and the bugs?