Bug 1078083 - (CVE-2014-2525) CVE-2014-2525 libyaml: heap-based buffer overflow when parsing URLs
CVE-2014-2525 libyaml: heap-based buffer overflow when parsing URLs
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20140327,repo...
: Security
Depends On: 1160976 1161460 1079283 1079299 1079306 1079307 1079308 1079404 1081281 1081382 1081383 1081856 1083710 1083711 1159403 1159404 1165358
Blocks: 1078094
  Show dependency treegraph
 
Reported: 2014-03-19 03:00 EDT by Murray McAllister
Modified: 2016-04-18 05:35 EDT (History)
56 users (show)

See Also:
Fixed In Version: libyaml 0.1.6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch from upstream (2.90 KB, patch)
2014-03-19 03:09 EDT, Murray McAllister
no flags Details | Diff

  None (edit)
Description Murray McAllister 2014-03-19 03:00:22 EDT
A heap-based buffer overflow flaw was found in the way libyaml parsed URLs. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.

Acknowledgements:

Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges Ivan Fratric of the Google Security Team as the original reporter.
Comment 2 Murray McAllister 2014-03-19 03:09:31 EDT
Created attachment 876237 [details]
patch from upstream
Comment 4 Tomas Hoger 2014-03-20 05:55:16 EDT
libyaml is shipped as part of Red Hat Software Collections 1 via ruby193-libyaml package.  This package is used by ruby193-ruby.  Impact for this use case is limited, as ruby YAML module is unsafe for use on untrusted yaml input:

http://ruby-doc.org/stdlib-1.9.3/libdoc/yaml/rdoc/YAML.html#module-YAML-label-Security

Alternative SafeYAML modules which provide safe ways to load yaml input files in ruby is not provided as part of Red Hat Software Collections 1.

https://github.com/dtao/safe_yaml
Comment 18 Murray McAllister 2014-03-26 20:33:16 EDT
This issue is public now:

http://www.ocert.org/advisories/ocert-2014-003.html
Comment 19 Murray McAllister 2014-03-26 20:36:11 EDT
Created libyaml tracking bugs for this issue:

Affects: fedora-all [bug 1081281]
Comment 20 Murray McAllister 2014-03-27 03:01:08 EDT
Debian released http://www.debian.org/security/2014/dsa-2885 to fix this issue in their libyaml-libyaml-perl package. perl-YAML-LibYAML for Fedora and EPEL look to embed libyaml too, and it seems to get built (http://kojipkgs.fedoraproject.org//packages/perl-YAML-LibYAML/0.41/3.fc20/data/logs/x86_64/build.log), but I have not checked if it actually uses the embedded copy or not. I am going to file tracking bugs regardless.
Comment 21 Murray McAllister 2014-03-27 03:09:35 EDT
Created perl-YAML-LibYAML tracking bugs for this issue:

Affects: fedora-all [bug 1081382]
Affects: epel-6 [bug 1081383]
Comment 22 John Eckersberg 2014-03-27 10:39:42 EDT
Can you please create a tracking bug for epel-all as well?
Comment 23 Murray McAllister 2014-03-28 01:45:36 EDT
Created libyaml tracking bugs for this issue:

Affects: epel-all [bug 1081856]
Comment 24 Murray McAllister 2014-03-28 01:46:03 EDT
(In reply to John Eckersberg from comment #22)
> Can you please create a tracking bug for epel-all as well?

Done. Sorry about that!
Comment 27 errata-xmlrpc 2014-04-02 15:51:28 EDT
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2014:0355 https://rhn.redhat.com/errata/RHSA-2014-0355.html
Comment 28 errata-xmlrpc 2014-04-02 15:52:25 EDT
This issue has been addressed in following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:0354 https://rhn.redhat.com/errata/RHSA-2014-0354.html
Comment 29 errata-xmlrpc 2014-04-02 15:53:32 EDT
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2014:0353 https://rhn.redhat.com/errata/RHSA-2014-0353.html
Comment 30 errata-xmlrpc 2014-04-03 16:23:44 EDT
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2014:0364 https://rhn.redhat.com/errata/RHSA-2014-0364.html
Comment 31 Fedora Update System 2014-04-05 00:52:02 EDT
libyaml-0.1.6-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 32 Fedora Update System 2014-04-05 00:56:58 EDT
libyaml-0.1.6-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 33 Fedora Update System 2014-04-06 23:23:58 EDT
perl-YAML-LibYAML-0.41-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 34 Fedora Update System 2014-04-06 23:25:24 EDT
perl-YAML-LibYAML-0.41-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 35 Fedora Update System 2014-04-11 16:49:10 EDT
perl-YAML-LibYAML-0.38-4.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 36 Fedora Update System 2014-04-15 19:29:03 EDT
libyaml-0.1.6-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 37 Fedora Update System 2014-04-15 19:31:18 EDT
libyaml-0.1.2-7.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 38 errata-xmlrpc 2014-04-17 08:04:23 EDT
This issue has been addressed in following products:

  Red Hat Common for RHEL 6

Via RHSA-2014:0415 https://rhn.redhat.com/errata/RHSA-2014-0415.html

Note You need to log in before you can comment on or make changes to this bug.