1686723 – (CVE-2018-20710) CVE-2018-20710 yaml-cpp: remote dos via crafted YAML file in function SingleDocParser::HandleFlowSequence

Bug 1686723 (CVE-2018-20710) - CVE-2018-20710 yaml-cpp: remote dos via crafted YAML file in function SingleDocParser::HandleFlowSequence

Summary: CVE-2018-20710 yaml-cpp: remote dos via crafted YAML file in function SingleD...

Keywords:
Status:	CLOSED DUPLICATE of bug 1668104
Alias:	CVE-2018-20710
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1686725 1686726
Blocks:	1686724
TreeView+	depends on / blocked

Reported:	2019-03-08 06:56 UTC by Dhananjay Arunesh
Modified:	2021-02-16 22:17 UTC (History)
CC List:	26 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-03-08 19:22:02 UTC
Embargoed:

Attachments	(Terms of Use)

Description Dhananjay Arunesh 2019-03-08 06:56:27 UTC

The SingleDocParser::HandleFlowSequence function in yaml-cpp (aka LibYaml-C++) 0.6.2 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted YAML file.

Reference:
https://github.com/jbeder/yaml-cpp/issues/660

Comment 1 Dhananjay Arunesh 2019-03-08 07:00:04 UTC

Created yaml-cpp tracking bugs for this issue:

Affects: epel-all [bug 1686725]

Comment 2 Dhananjay Arunesh 2019-03-08 07:00:35 UTC

Created yaml-cpp tracking bugs for this issue:

Affects: fedora-all [bug 1686726]

Comment 3 Scott Gayou 2019-03-08 17:27:17 UTC

Looks like a dupe, here's a crash with a symbolized backtrace:

```
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b4bb7a in _int_malloc () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff7b4bb7a in _int_malloc () from /lib64/libc.so.6
#1  0x00007ffff7b4db07 in malloc () from /lib64/libc.so.6
#2  0x00007ffff7ec3b9c in operator new (sz=48) at ../../../../libstdc++-v3/libsupc++/new_op.cc:50
#3  0x000000000043fd71 in __gnu_cxx::new_allocator<std::_Rb_tree_node<std::shared_ptr<YAML::detail::node> > >::allocate(unsigned long, void const*) ()
#4  0x000000000043fce1 in std::allocator_traits<std::allocator<std::_Rb_tree_node<std::shared_ptr<YAML::detail::node> > > >::allocate(std::allocator<std::_Rb_tree_node<std::shared_ptr<YAML::detail::node> > >&, unsigned long) ()
#5  0x000000000043fbe3 in std::_Rb_tree<std::shared_ptr<YAML::detail::node>, std::shared_ptr<YAML::detail::node>, std::_Identity<std::shared_ptr<YAML::detail::node> >, std::less<std::shared_ptr<YAML::detail::node> >, std::allocator<std::shared_ptr<YAML::detail::node> > >::_M_get_node() ()
#6  0x000000000043fa68 in std::_Rb_tree_node<std::shared_ptr<YAML::detail::node> >* std::_Rb_tree<std::shared_ptr<YAML::detail::node>, std::shared_ptr<YAML::detail::node>, std::_Identity<std::shared_ptr<YAML::detail::node> >, std::less<std::shared_ptr<YAML::detail::node> >, std::allocator<std::shared_ptr<YAML::detail::node> > >::_M_create_node<std::shared_ptr<YAML::detail::node> const&>(std::shared_ptr<YAML::detail::node> const&) ()
#7  0x000000000043f471 in std::_Rb_tree_node<std::shared_ptr<YAML::detail::node> >* std::_Rb_tree<std::shared_ptr<YAML::detail::node>, std::shared_ptr<YAML::detail::node>, std::_Identity<std::shared_ptr<YAML::detail::node> >, std::less<std::shared_ptr<YAML::detail::node> >, std::allocator<std::shared_ptr<YAML::detail::node> > >::_Alloc_node::operator()<std::shared_ptr<YAML::detail::node> const&>(std::shared_ptr<YAML::detail::node> const&) const ()
#8  0x000000000043ee89 in std::_Rb_tree_iterator<std::shared_ptr<YAML::detail::node> > std::_Rb_tree<std::shared_ptr<YAML::detail::node>, std::shared_ptr<YAML::detail::node>, std::_Identity<std::shared_ptr<YAML::detail::node> >, std::less<std::shared_ptr<YAML::detail::node> >, std::allocator<std::shared_ptr<YAML::detail::node> > >::_M_insert_<std::shared_ptr<YAML::detail::node> const&, std::_Rb_tree<std::shared_ptr<YAML::detail::node>, std::shared_ptr<YAML::detail::node>, std::_Identity<std::shared_ptr<YAML::detail::node> >, std::less<std::shared_ptr<YAML::detail::node> >, std::allocator<std::shared_ptr<YAML::detail::node> > >::_Alloc_node>(std::_Rb_tree_node_base*, std::_Rb_tree_node_base*, std::shared_ptr<YAML::detail::node> const&, std::_Rb_tree<std::shared_ptr<YAML::detail::node>, std::shared_ptr<YAML::detail::node>, std::_Identity<std::shared_ptr<YAML::detail::node> >, std::less<std::shared_ptr<YAML::detail::node> >, std::allocator<std::shared_ptr<YAML::detail::node> > >::_Alloc_node&) ()
#9  0x000000000043e980 in std::pair<std::_Rb_tree_iterator<std::shared_ptr<YAML::detail::node> >, bool> std::_Rb_tree<std::shared_ptr<YAML::detail::node>, std::shared_ptr<YAML::detail::node>, std::_Identity<std::shared_ptr<YAML::detail::node> >, std::less<std::shared_ptr<YAML::detail::node> >, std::allocator<std::shared_ptr<YAML::detail::node> > >::_M_insert_unique<std::shared_ptr<YAML::detail::node> const&>(std::shared_ptr<YAML::detail::node> const&) ()
#10 0x000000000043e733 in std::set<std::shared_ptr<YAML::detail::node>, std::less<std::shared_ptr<YAML::detail::node> >, std::allocator<std::shared_ptr<YAML::detail::node> > >::insert(std::shared_ptr<YAML::detail::node> const&) ()
#11 0x000000000043e2a8 in YAML::detail::memory::create_node() ()
#12 0x0000000000435cbe in YAML::detail::memory_holder::create_node() ()
#13 0x000000000043911a in YAML::NodeBuilder::Push(YAML::Mark const&, unsigned long) ()
#14 0x0000000000438fbb in YAML::NodeBuilder::OnSequenceStart(YAML::Mark const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long, YAML::EmitterStyle::value) ()
#15 0x000000000042b987 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
#16 0x000000000042cd3e in YAML::SingleDocParser::HandleCompactMap(YAML::EventHandler&) ()
#17 0x000000000042c482 in YAML::SingleDocParser::HandleMap(YAML::EventHandler&) ()
#18 0x000000000042bb99 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
#19 0x000000000042c1fd in YAML::SingleDocParser::HandleFlowSequence(YAML::EventHandler&) ()
#20 0x000000000042bd5e in YAML::SingleDocParser::HandleSequence(YAML::EventHandler&) ()
#21 0x000000000042b9a0 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
#22 0x000000000042cd3e in YAML::SingleDocParser::HandleCompactMap(YAML::EventHandler&) ()
#23 0x000000000042c482 in YAML::SingleDocParser::HandleMap(YAML::EventHandler&) ()
#24 0x000000000042bb99 in YAML::SingleDocParser::HandleNode(YAML::EventHandler&) ()
```

Comment 4 Scott Gayou 2019-03-08 19:22:02 UTC


*** This bug has been marked as a duplicate of bug 1668104 ***

Comment 5 Doran Moppert 2020-02-10 04:36:27 UTC

Statement:

This flaw was found to be a duplicate of CVE-2019-6285. Please see https://access.redhat.com/security/cve/CVE-2019-6285 for information about affected products and security errata.

Note You need to log in before you can comment on or make changes to this bug.

apevec
bbuckingham
bcourt
bkearney
dbecker
guido.grazioli
hhorak
hobbes1069
jjoyce
jorton
jschluet
kbasil
lhh
lpeer
mburns
mmccune
mrike
ohadlevy
rchan
rhos-maint
rjerrido
sclewis
sgayou
slinaber
thofmann
tjay