Bug 1033990 (CVE-2013-6393) - CVE-2013-6393 libyaml: heap-based buffer overflow when parsing YAML tags
Summary: CVE-2013-6393 libyaml: heap-based buffer overflow when parsing YAML tags
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-6393
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1059008 1059009 1059010 1059113 1059115 1059116 1059117 1059347 1079283 1079299 1079306 1079307 1079308 1081385 1081386 1083710 1083711
Blocks: 1033661 1033991 1051378
TreeView+ depends on / blocked
 
Reported: 2013-11-25 01:11 UTC by Murray McAllister
Modified: 2023-05-12 01:37 UTC (History)
67 users (show)

Fixed In Version: libyaml 0.1.5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-11-06 09:43:46 UTC
Embargoed:


Attachments (Terms of Use)
String overflow patch (729 bytes, patch)
2014-01-09 23:04 UTC, Garth Mollett
no flags Details | Diff
libyaml-node-id-hardening.patch (728 bytes, patch)
2014-01-09 23:13 UTC, Garth Mollett
no flags Details | Diff
libyaml-indent-column-overflow-v2.patch (3.50 KB, patch)
2014-01-28 01:07 UTC, John Eckersberg
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0353 0 normal SHIPPED_LIVE Important: libyaml security update 2014-04-02 23:50:54 UTC
Red Hat Product Errata RHSA-2014:0354 0 normal SHIPPED_LIVE Important: libyaml security update 2014-04-02 23:50:48 UTC
Red Hat Product Errata RHSA-2014:0355 0 normal SHIPPED_LIVE Important: ruby193-libyaml security update 2014-04-02 23:50:41 UTC
Red Hat Product Errata RHSA-2014:0364 0 normal SHIPPED_LIVE Important: ruby193-libyaml security update 2014-04-04 00:18:42 UTC
Red Hat Product Errata RHSA-2014:0415 0 normal SHIPPED_LIVE Important: libyaml security update 2014-04-17 16:01:57 UTC

Description Murray McAllister 2013-11-25 01:11:44 UTC
A heap-based buffer overflow flaw was found in the way libyaml parsed YAML tags. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.

Acknowledgements:

This issue was discovered by Florian Weimer of the Red Hat Product Security Team.

Comment 9 Garth Mollett 2014-01-09 23:04:20 UTC
Created attachment 847926 [details]
String overflow patch

This is a proposed patch from Florian Weimer <fweimer> for the string
overflow issue. It has been ack'd by upstream.

Comment 10 Garth Mollett 2014-01-09 23:13:18 UTC
Created attachment 847934 [details]
libyaml-node-id-hardening.patch

This is a hardening patch also from Florian Weimer <fweimer>.
It is not required to fix this CVE however it improves the robustness of the code
against future issues by avoiding large node ID's in a central place.

Comment 15 John Eckersberg 2014-01-28 01:07:33 UTC
Created attachment 856317 [details]
libyaml-indent-column-overflow-v2.patch

This expands upon the original indent column overflow patch from comment #12.

The default parser indention is represented as an indention of -1.  The original patch only modified the type of the column parameter to the roll/unroll functions, changing it from int to size_t to guard against integer overflow.  However, there are code paths that call yaml_parser_unroll_indent with a column of -1 in order to reset the parser back to the initial indention.  Since the column is now of type size_t and thus unsigned, passing a column value of -1 caused the column to underflow in this case.

This new patch modifies the roll/unroll functions to handle the -1 indent as a special case.  In addition, it adds a new function, yaml_parser_reset_indent.  It is nearly an exact copy of yaml_parser_unroll_indent, except it does not take a column parameter.  Instead it unrolls to a literal -1 indention, which does not suffer from the underflow.

Code paths that previously called yaml_parser_unroll_indent with a column of -1 are updated to call the new yaml_parser_reset_indent function instead.

With this patch instead of the original:

- `make check` still passes

- The reproducer script completes successfully with exit code 0

- The issue raised by John Haxby has been corrected and exits with SUCCESS

Comment 17 Murray McAllister 2014-01-29 00:45:16 UTC
Created libyaml tracking bugs for this issue:

Affects: fedora-all [bug 1059009]
Affects: epel-all [bug 1059010]

Comment 20 Garth Mollett 2014-01-29 08:57:16 UTC
Statement:

The Red Hat security response team has rated this issue as having low security impact in Red Hat Enterpise MRG 1 and 2, CloudForms 3, and Red Hat Network Satellite 5. This issue is not currently planned to be addressed in future updates.

The Red Hat security response team has rated this issue as having low security impact in Red Hat Update Infrastructure. A future update may address this issue. 

The Red Hat security response team has rated this issue as having moderate security impact in Subscription Asset Manager 1. A future update may address this issue.

For additional information, refer to the Issue Severity Classification:
https://access.redhat.com/security/updates/classification/

Comment 21 postmodern 2014-02-04 07:03:21 UTC
libyaml 0.1.5 has now been released (https://bitbucket.org/xi/libyaml/get/0.1.5.tar.gz) which now includes the patches (https://bitbucket.org/xi/libyaml/commits/all).

Comment 24 Fedora Update System 2014-02-08 05:00:09 UTC
libyaml-0.1.4-6.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2014-02-08 05:01:36 UTC
libyaml-0.1.4-6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 30 Vincent Danen 2014-02-11 18:29:43 UTC
The upstream patch used previously caused some regressions in functionality.  These were reported individually:

* bug 1063866 Patch for CVE-2013-6393 introduces regression (Fedora)
* bug 1063867 Patch for CVE-2013-6393 introduces regression (EPEL6)

Which notes that upstream has addressed it slightly differently with the two following commits:


https://bitbucket.org/xi/libyaml/commits/f859ed1eb757a3562b98a28a8ce69274bfd4b3f2
https://bitbucket.org/xi/libyaml/commits/af3599437a87162554787c52d8b16eab553f537b

I don't believe this would require a new CVE for the regression, although it might if the regression results in libyaml still being vulnerable to this flaw (I'm not sure, can someone confirm?).

Comment 31 John Eckersberg 2014-02-11 19:30:20 UTC
(In reply to Vincent Danen from comment #30)
> The upstream patch used previously caused some regressions in functionality.
> These were reported individually:
> 
> * bug 1063866 Patch for CVE-2013-6393 introduces regression (Fedora)
> * bug 1063867 Patch for CVE-2013-6393 introduces regression (EPEL6)
> 
> Which notes that upstream has addressed it slightly differently with the two
> following commits:
> 
> 
> https://bitbucket.org/xi/libyaml/commits/
> f859ed1eb757a3562b98a28a8ce69274bfd4b3f2
> https://bitbucket.org/xi/libyaml/commits/
> af3599437a87162554787c52d8b16eab553f537b
> 
> I don't believe this would require a new CVE for the regression, although it
> might if the regression results in libyaml still being vulnerable to this
> flaw (I'm not sure, can someone confirm?).

The regressed version is not vulnerable to the flaw, it just fails to parse a subset of valid yaml documents that none of the tests caught.

Comment 32 Vincent Danen 2014-02-13 23:16:40 UTC
Perfect, thank you for that confirmation John.

Comment 33 Fedora Update System 2014-03-03 20:00:23 UTC
libyaml-0.1.2-6.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 34 Fedora Update System 2014-03-03 20:04:11 UTC
libyaml-0.1.5-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 40 Murray McAllister 2014-03-27 07:11:04 UTC
as per https://bugzilla.redhat.com/show_bug.cgi?id=1078083#c20 it looks like perl-YAML-LibYAML has an embedded copy of libyaml and may be affected. I will file tracking bugs.

Comment 41 Murray McAllister 2014-03-27 07:18:48 UTC
Created perl-YAML-LibYAML tracking bugs for this issue:

Affects: fedora-all [bug 1081385]
Affects: epel-6 [bug 1081386]

Comment 43 errata-xmlrpc 2014-04-02 19:51:19 UTC
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2014:0355 https://rhn.redhat.com/errata/RHSA-2014-0355.html

Comment 44 errata-xmlrpc 2014-04-02 19:52:17 UTC
This issue has been addressed in following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:0354 https://rhn.redhat.com/errata/RHSA-2014-0354.html

Comment 45 errata-xmlrpc 2014-04-02 19:53:22 UTC
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2014:0353 https://rhn.redhat.com/errata/RHSA-2014-0353.html

Comment 46 errata-xmlrpc 2014-04-03 20:23:33 UTC
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2014:0364 https://rhn.redhat.com/errata/RHSA-2014-0364.html

Comment 47 Fedora Update System 2014-04-07 03:24:07 UTC
perl-YAML-LibYAML-0.41-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 48 Fedora Update System 2014-04-07 03:25:33 UTC
perl-YAML-LibYAML-0.41-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 49 Fedora Update System 2014-04-11 20:49:23 UTC
perl-YAML-LibYAML-0.38-4.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 50 errata-xmlrpc 2014-04-17 12:04:06 UTC
This issue has been addressed in following products:

  Red Hat Common for RHEL 6

Via RHSA-2014:0415 https://rhn.redhat.com/errata/RHSA-2014-0415.html

Comment 51 Kurt Seifried 2014-08-08 19:26:33 UTC
Red Hat Update Infrastructure 2.1.3 is now in Production 2 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Update Infrastructure Life Cycle: https://access.redhat.com/support/policy/updates/rhui.


Note You need to log in before you can comment on or make changes to this bug.