Bug 2291258 (CVE-2024-35329)

Summary: CVE-2024-35329 libyaml: vulnerable to a heap-based Buffer Overflow in yaml_document_add_sequence in api.c
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agarcial, aoconnor, aprice, asegurap, bdettelb, caswilli, dfreiber, dhalasz, dkuc, drow, fjansen, gsuckevi, hkataria, jburrell, jeckersb, jmitchel, jsamir, jsherril, jtanner, kaycoth, kholdawa, kshier, lbalhar, luizcosta, mpierce, nweather, orabin, psegedy, stcannon, sthirugn, vkrizan, vkumar, vmugicag, xiaoxwan, yguenane, zzhou
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in libyaml 0.2.5. This issue is caused by a heap-based buffer overflow in yaml_document_add_sequence in api.c.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2024-07-02 13:04:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2291259, 2291260, 2291261, 2291262    
Bug Blocks: 2291257    
Attachments:
Description Flags
plaintext of original google drive link none

Description Rohit Keshri 2024-06-11 06:08:12 UTC 
libyaml 0.2.5 is vulnerable to a heap-based Buffer Overflow in yaml_document_add_sequence in api.c.

https://drive.google.com/file/d/1xgQ9hJ7Sn5RVEsdMGvIy0s3b_bg3Wyk-/view?usp=sharing
https://github.com/yaml/libyaml/releases/tag/0.2.5
Comment 1 Rohit Keshri 2024-06-11 06:17:01 UTC 
Created R-yaml tracking bugs for this issue:

Affects: fedora-all [bug 2291262]


Created ghc-yaml tracking bugs for this issue:

Affects: epel-all [bug 2291259]


Created libyaml tracking bugs for this issue:

Affects: fedora-all [bug 2291260]


Created python-ruamel-yaml-clib tracking bugs for this issue:

Affects: fedora-all [bug 2291261]
Comment 3 John Eckersberg 2024-06-11 20:24:45 UTC 
At a cursory glance, I can't reproduce this from the details provided in the google docs link (but I very well may just be doing something wrong).

At both the target commit (abd744ec2fb3b8e38e01796a1485c1f25f8fb5f6) as well as latest master (840b65c40675e2d06bf40405ad3f12dec7f35923), I get the following using clang + AddressSanitizer (-fsanitize=address) on the provided poc:

$ ./poc
heap-buffer-overflow on libyaml/src/api.c:1274:10

=================================================================
==1224012==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4c51b3 in malloc (/var/home/jeckersb/git/libyaml/poc+0x4c51b3) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)
    #1 0x7f62f8c1dd89 in yaml_document_add_sequence (/lib64/libyaml-0.so.2+0x5d89) (BuildId: 2956ac970fbb4ed9405355a7596626b4899ce7c7)
    #2 0x50390e in poc (/var/home/jeckersb/git/libyaml/poc+0x50390e) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)
    #3 0x5039eb in main (/var/home/jeckersb/git/libyaml/poc+0x5039eb) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)
    #4 0x7f62f8933087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087) (BuildId: 4a92fcedbba6d6d2629ce066a2970017faa9995e)
    #5 0x7f62f893314a in __libc_start_main.5 (/lib64/libc.so.6+0x2a14a) (BuildId: 4a92fcedbba6d6d2629ce066a2970017faa9995e)
    #6 0x42a364 in _start (/var/home/jeckersb/git/libyaml/poc+0x42a364) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)

Direct leak of 22 byte(s) in 1 object(s) allocated from:
    #0 0x4acebe in strdup (/var/home/jeckersb/git/libyaml/poc+0x4acebe) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)
    #1 0x7f62f8c1dd77 in yaml_document_add_sequence (/lib64/libyaml-0.so.2+0x5d77) (BuildId: 2956ac970fbb4ed9405355a7596626b4899ce7c7)
    #2 0x50390e in poc (/var/home/jeckersb/git/libyaml/poc+0x50390e) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)
    #3 0x5039eb in main (/var/home/jeckersb/git/libyaml/poc+0x5039eb) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)
    #4 0x7f62f8933087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087) (BuildId: 4a92fcedbba6d6d2629ce066a2970017faa9995e)
    #5 0x7f62f893314a in __libc_start_main.5 (/lib64/libc.so.6+0x2a14a) (BuildId: 4a92fcedbba6d6d2629ce066a2970017faa9995e)
    #6 0x42a364 in _start (/var/home/jeckersb/git/libyaml/poc+0x42a364) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)

Direct leak of 1 byte(s) in 1 object(s) allocated from:
    #0 0x4c51b3 in malloc (/var/home/jeckersb/git/libyaml/poc+0x4c51b3) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)
    #1 0x7f62f8c1ac0a in yaml_stack_extend (/lib64/libyaml-0.so.2+0x2c0a) (BuildId: 2956ac970fbb4ed9405355a7596626b4899ce7c7)
    #2 0x7f62f8c1de81 in yaml_document_add_sequence (/lib64/libyaml-0.so.2+0x5e81) (BuildId: 2956ac970fbb4ed9405355a7596626b4899ce7c7)
    #3 0x50390e in poc (/var/home/jeckersb/git/libyaml/poc+0x50390e) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)
    #4 0x5039eb in main (/var/home/jeckersb/git/libyaml/poc+0x5039eb) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)
    #5 0x7f62f8933087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087) (BuildId: 4a92fcedbba6d6d2629ce066a2970017faa9995e)
    #6 0x7f62f893314a in __libc_start_main.5 (/lib64/libc.so.6+0x2a14a) (BuildId: 4a92fcedbba6d6d2629ce066a2970017faa9995e)
    #7 0x42a364 in _start (/var/home/jeckersb/git/libyaml/poc+0x42a364) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)

SUMMARY: AddressSanitizer: 87 byte(s) leaked in 3 allocation(s).
Comment 4 John Eckersberg 2024-06-11 20:26:10 UTC 
Created attachment 2037018 [details]
plaintext of original google drive link
Comment 5 Lumír Balhar 2024-06-12 08:05:43 UTC 
The reproducer says that the code is vulnerable at abd744ec2fb3b8e38e01796a1485c1f25f8fb5f6 and the problem is in libyaml/src/api.c:1274:10 and two commits newer than abd744 are for parser.c not api.c so I think the code in the master branch is still vulnerable. Also, there is this issue: https://github.com/yaml/libyaml/issues/298 for the CVE.
Comment 6 Lumír Balhar 2024-06-12 12:04:42 UTC 
According to upstream, the reproducer is broken code that uses API in a wrong way so they request the CVE to be rejected.
Comment 7 Guilherme de Almeida Suckevicz 2024-07-02 13:04:23 UTC 
This CVE is disputed now, see this link[1].

[1]. https://www.cve.org/CVERecord?id=CVE-2024-35329