A heap-based buffer overflow flaw was found in the way libyaml parsed URLs. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. Acknowledgements: Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges Ivan Fratric of the Google Security Team as the original reporter.
Created attachment 876237 [details] patch from upstream
libyaml is shipped as part of Red Hat Software Collections 1 via ruby193-libyaml package. This package is used by ruby193-ruby. Impact for this use case is limited, as ruby YAML module is unsafe for use on untrusted yaml input: http://ruby-doc.org/stdlib-1.9.3/libdoc/yaml/rdoc/YAML.html#module-YAML-label-Security Alternative SafeYAML modules which provide safe ways to load yaml input files in ruby is not provided as part of Red Hat Software Collections 1. https://github.com/dtao/safe_yaml
This issue is public now: http://www.ocert.org/advisories/ocert-2014-003.html
Created libyaml tracking bugs for this issue: Affects: fedora-all [bug 1081281]
Debian released http://www.debian.org/security/2014/dsa-2885 to fix this issue in their libyaml-libyaml-perl package. perl-YAML-LibYAML for Fedora and EPEL look to embed libyaml too, and it seems to get built (http://kojipkgs.fedoraproject.org//packages/perl-YAML-LibYAML/0.41/3.fc20/data/logs/x86_64/build.log), but I have not checked if it actually uses the embedded copy or not. I am going to file tracking bugs regardless.
Created perl-YAML-LibYAML tracking bugs for this issue: Affects: fedora-all [bug 1081382] Affects: epel-6 [bug 1081383]
Can you please create a tracking bug for epel-all as well?
Created libyaml tracking bugs for this issue: Affects: epel-all [bug 1081856]
(In reply to John Eckersberg from comment #22) > Can you please create a tracking bug for epel-all as well? Done. Sorry about that!
This issue has been addressed in following products: Red Hat Software Collections for RHEL-6 Via RHSA-2014:0355 https://rhn.redhat.com/errata/RHSA-2014-0355.html
This issue has been addressed in following products: OpenStack 4 for RHEL 6 Via RHSA-2014:0354 https://rhn.redhat.com/errata/RHSA-2014-0354.html
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2014:0353 https://rhn.redhat.com/errata/RHSA-2014-0353.html
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2014:0364 https://rhn.redhat.com/errata/RHSA-2014-0364.html
libyaml-0.1.6-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
libyaml-0.1.6-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
perl-YAML-LibYAML-0.41-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
perl-YAML-LibYAML-0.41-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
perl-YAML-LibYAML-0.38-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
libyaml-0.1.6-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
libyaml-0.1.2-7.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Common for RHEL 6 Via RHSA-2014:0415 https://rhn.redhat.com/errata/RHSA-2014-0415.html