Bug 2291258 (CVE-2024-35329) - CVE-2024-35329 libyaml: vulnerable to a heap-based Buffer Overflow in yaml_document_add_sequence in api.c
Summary: CVE-2024-35329 libyaml: vulnerable to a heap-based Buffer Overflow in yaml_do...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2024-35329
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2291259 2291260 2291261 2291262
Blocks: 2291257
TreeView+ depends on / blocked
 
Reported: 2024-06-11 06:08 UTC by Rohit Keshri
Modified: 2024-07-03 16:20 UTC (History)
36 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in libyaml 0.2.5. This issue is caused by a heap-based buffer overflow in yaml_document_add_sequence in api.c.
Clone Of:
Environment:
Last Closed: 2024-07-02 13:04:23 UTC
Embargoed:

Attachments (Terms of Use)
plaintext of original google drive link (3.94 KB, text/x-csrc)
2024-06-11 20:26 UTC, John Eckersberg 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github yaml libyaml issues 298 0 None open How is this CVE-2024-35329 affected? 2024-06-12 08:05:42 UTC

Description Rohit Keshri 2024-06-11 06:08:12 UTC 
libyaml 0.2.5 is vulnerable to a heap-based Buffer Overflow in yaml_document_add_sequence in api.c.

https://drive.google.com/file/d/1xgQ9hJ7Sn5RVEsdMGvIy0s3b_bg3Wyk-/view?usp=sharing
https://github.com/yaml/libyaml/releases/tag/0.2.5
Comment 1 Rohit Keshri 2024-06-11 06:17:01 UTC 
Created R-yaml tracking bugs for this issue:

Affects: fedora-all [bug 2291262]


Created ghc-yaml tracking bugs for this issue:

Affects: epel-all [bug 2291259]


Created libyaml tracking bugs for this issue:

Affects: fedora-all [bug 2291260]


Created python-ruamel-yaml-clib tracking bugs for this issue:

Affects: fedora-all [bug 2291261]
Comment 3 John Eckersberg 2024-06-11 20:24:45 UTC 
At a cursory glance, I can't reproduce this from the details provided in the google docs link (but I very well may just be doing something wrong).

At both the target commit (abd744ec2fb3b8e38e01796a1485c1f25f8fb5f6) as well as latest master (840b65c40675e2d06bf40405ad3f12dec7f35923), I get the following using clang + AddressSanitizer (-fsanitize=address) on the provided poc:

$ ./poc
heap-buffer-overflow on libyaml/src/api.c:1274:10

=================================================================
==1224012==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x4c51b3 in malloc (/var/home/jeckersb/git/libyaml/poc+0x4c51b3) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)
    #1 0x7f62f8c1dd89 in yaml_document_add_sequence (/lib64/libyaml-0.so.2+0x5d89) (BuildId: 2956ac970fbb4ed9405355a7596626b4899ce7c7)
    #2 0x50390e in poc (/var/home/jeckersb/git/libyaml/poc+0x50390e) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)
    #3 0x5039eb in main (/var/home/jeckersb/git/libyaml/poc+0x5039eb) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)
    #4 0x7f62f8933087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087) (BuildId: 4a92fcedbba6d6d2629ce066a2970017faa9995e)
    #5 0x7f62f893314a in __libc_start_main.5 (/lib64/libc.so.6+0x2a14a) (BuildId: 4a92fcedbba6d6d2629ce066a2970017faa9995e)
    #6 0x42a364 in _start (/var/home/jeckersb/git/libyaml/poc+0x42a364) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)

Direct leak of 22 byte(s) in 1 object(s) allocated from:
    #0 0x4acebe in strdup (/var/home/jeckersb/git/libyaml/poc+0x4acebe) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)
    #1 0x7f62f8c1dd77 in yaml_document_add_sequence (/lib64/libyaml-0.so.2+0x5d77) (BuildId: 2956ac970fbb4ed9405355a7596626b4899ce7c7)
    #2 0x50390e in poc (/var/home/jeckersb/git/libyaml/poc+0x50390e) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)
    #3 0x5039eb in main (/var/home/jeckersb/git/libyaml/poc+0x5039eb) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)
    #4 0x7f62f8933087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087) (BuildId: 4a92fcedbba6d6d2629ce066a2970017faa9995e)
    #5 0x7f62f893314a in __libc_start_main.5 (/lib64/libc.so.6+0x2a14a) (BuildId: 4a92fcedbba6d6d2629ce066a2970017faa9995e)
    #6 0x42a364 in _start (/var/home/jeckersb/git/libyaml/poc+0x42a364) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)

Direct leak of 1 byte(s) in 1 object(s) allocated from:
    #0 0x4c51b3 in malloc (/var/home/jeckersb/git/libyaml/poc+0x4c51b3) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)
    #1 0x7f62f8c1ac0a in yaml_stack_extend (/lib64/libyaml-0.so.2+0x2c0a) (BuildId: 2956ac970fbb4ed9405355a7596626b4899ce7c7)
    #2 0x7f62f8c1de81 in yaml_document_add_sequence (/lib64/libyaml-0.so.2+0x5e81) (BuildId: 2956ac970fbb4ed9405355a7596626b4899ce7c7)
    #3 0x50390e in poc (/var/home/jeckersb/git/libyaml/poc+0x50390e) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)
    #4 0x5039eb in main (/var/home/jeckersb/git/libyaml/poc+0x5039eb) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)
    #5 0x7f62f8933087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087) (BuildId: 4a92fcedbba6d6d2629ce066a2970017faa9995e)
    #6 0x7f62f893314a in __libc_start_main.5 (/lib64/libc.so.6+0x2a14a) (BuildId: 4a92fcedbba6d6d2629ce066a2970017faa9995e)
    #7 0x42a364 in _start (/var/home/jeckersb/git/libyaml/poc+0x42a364) (BuildId: 4d69796992c63a70c474074120c554c03bd5306c)

SUMMARY: AddressSanitizer: 87 byte(s) leaked in 3 allocation(s).
Comment 4 John Eckersberg 2024-06-11 20:26:10 UTC 
Created attachment 2037018 [details]
plaintext of original google drive link
Comment 5 Lumír Balhar 2024-06-12 08:05:43 UTC 
The reproducer says that the code is vulnerable at abd744ec2fb3b8e38e01796a1485c1f25f8fb5f6 and the problem is in libyaml/src/api.c:1274:10 and two commits newer than abd744 are for parser.c not api.c so I think the code in the master branch is still vulnerable. Also, there is this issue: https://github.com/yaml/libyaml/issues/298 for the CVE.
Comment 6 Lumír Balhar 2024-06-12 12:04:42 UTC 
According to upstream, the reproducer is broken code that uses API in a wrong way so they request the CVE to be rejected.
Comment 7 Guilherme de Almeida Suckevicz 2024-07-02 13:04:23 UTC 
This CVE is disputed now, see this link[1].

[1]. https://www.cve.org/CVERecord?id=CVE-2024-35329
Note You need to log in before you can comment on or make changes to this bug.