Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 505948 (CVE-2014-2525) - <dev-libs/libyaml-0.1.6: input sanitization errors (oCERT-2014-003) (CVE-2014-2525)
Summary: <dev-libs/libyaml-0.1.6: input sanitization errors (oCERT-2014-003) (CVE-2014...
Status: RESOLVED FIXED
Alias: CVE-2014-2525
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-27 09:36 UTC by Agostino Sarubbo
Modified: 2014-05-23 08:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-03-27 09:36:55 UTC
From ${URL} :

#2014-003 LibYAML input sanitization errors

Description:

The LibYAML project is an open source YAML 1.1 parser and emitter written in
C.

The library is affected by a heap-based buffer overflow which can lead to
arbitrary code execution. The vulnerability is caused by lack of proper
expansion for the string passed to the yaml_parser_scan_uri_escapes()
function.

A specially crafted YAML file, with a long sequence of percent-encoded
characters in a URL, can be used to trigger the overflow.

Affected version:

LibYAML <= 0.1.5

Fixed version:

LibYAML >= 0.1.6

Credit: vulnerability report received from Ivan Fratric of the
        Google Security Team.

CVE: CVE-2014-2525

Timeline:

2014-03-11: vulnerability report received
2014-03-14: maintainer provides patch for review
2014-03-17: reporter confirms patch
2014-03-17: disclosure coordinated on 2014-03-26
2014-03-18: contacted affected vendors
2014-03-18: assigned CVE
2014-03-26: LibYAML 0.1.6 released
2014-03-26: advisory release

References:
http://pyyaml.org/wiki/LibYAML
https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048

Permalink:
http://www.ocert.org/advisories/ocert-2014-003.html



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Tim Harder gentoo-dev 2014-03-27 16:07:20 UTC
Arches, please stabilize libyaml-0.1.6.
Comment 2 Jeroen Roovers gentoo-dev 2014-03-28 03:23:48 UTC
Stable for HPPA.
Comment 3 Agostino Sarubbo gentoo-dev 2014-03-28 18:33:02 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-03-28 18:33:14 UTC
x86 stable
Comment 5 Markus Meier gentoo-dev 2014-04-01 19:02:30 UTC
arm stable
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-04-10 21:30:05 UTC
CVE-2014-2525 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2525):
  Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in
  LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary
  code via a long sequence of percent-encoded characters in a URI in a YAML
  file.
Comment 7 Agostino Sarubbo gentoo-dev 2014-04-13 11:08:18 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-04-21 10:50:47 UTC
alpha stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-05-11 08:06:01 UTC
ppc64 stable
Comment 10 Akinori Hattori gentoo-dev 2014-05-13 14:36:14 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-05-14 16:11:41 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev Security 2014-05-15 03:42:08 UTC
Arches and Maintainer(s), Thank you for your work.

Added to new GLSA Request
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2014-05-23 08:43:38 UTC
This issue was resolved and addressed in
 GLSA 201405-27 at http://security.gentoo.org/glsa/glsa-201405-27.xml
by GLSA coordinator Sergey Popov (pinkbyte).