From da43da31bb1dba3e2801e062aa179ac8d50aa538 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Thu, 27 Mar 2014 13:52:30 +0000 Subject: [PATCH] Add fixes for CVE-2013-6393 and CVE-2014-2525 - Fix LibYAML input sanitization errors (CVE-2014-2525) - Fix heap-based buffer overflow when parsing YAML tags (CVE-2013-6393) --- YAML-LibYAML-0.41-CVE-2013-6393.patch | 177 ++++++++++++++++++++++++++ YAML-LibYAML-0.41-CVE-2014-2525.patch | 38 ++++++ perl-YAML-LibYAML.spec | 14 +- 3 files changed, 228 insertions(+), 1 deletion(-) create mode 100644 YAML-LibYAML-0.41-CVE-2013-6393.patch create mode 100644 YAML-LibYAML-0.41-CVE-2014-2525.patch diff --git a/YAML-LibYAML-0.41-CVE-2013-6393.patch b/YAML-LibYAML-0.41-CVE-2013-6393.patch new file mode 100644 index 0000000..e914e71 --- /dev/null +++ b/YAML-LibYAML-0.41-CVE-2013-6393.patch @@ -0,0 +1,177 @@ +# HG changeset patch +# User Kirill Simonov +# Date 1391406104 21600 +# Node ID f859ed1eb757a3562b98a28a8ce69274bfd4b3f2 +# Parent da9bc6f12781a583076c7b60d057df5d7b50f96f +Guard against overflows in indent and flow_level. + +--- LibYAML/scanner.c ++++ LibYAML/scanner.c +@@ -615,11 +615,11 @@ + */ + + static int +-yaml_parser_roll_indent(yaml_parser_t *parser, int column, +- int number, yaml_token_type_t type, yaml_mark_t mark); ++yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column, ++ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark); + + static int +-yaml_parser_unroll_indent(yaml_parser_t *parser, int column); ++yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column); + + /* + * Token fetchers. +@@ -1103,7 +1103,7 @@ + */ + + int required = (!parser->flow_level +- && parser->indent == (int)parser->mark.column); ++ && parser->indent == (ptrdiff_t)parser->mark.column); + + /* + * A simple key is required only when it is the first token in the current +@@ -1176,6 +1176,9 @@ + + /* Increase the flow level. */ + ++ if (parser->flow_level == INT_MAX) ++ return 0; ++ + parser->flow_level++; + + return 1; +@@ -1206,8 +1209,8 @@ + */ + + static int +-yaml_parser_roll_indent(yaml_parser_t *parser, int column, +- int number, yaml_token_type_t type, yaml_mark_t mark) ++yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column, ++ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark) + { + yaml_token_t token; + +@@ -1226,6 +1229,9 @@ + if (!PUSH(parser, parser->indents, parser->indent)) + return 0; + ++ if (column > INT_MAX) ++ return 0; ++ + parser->indent = column; + + /* Create a token and insert it into the queue. */ +@@ -1254,7 +1260,7 @@ + + + static int +-yaml_parser_unroll_indent(yaml_parser_t *parser, int column) ++yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column) + { + yaml_token_t token; + +--- LibYAML/yaml_private.h ++++ LibYAML/yaml_private.h +@@ -7,6 +7,7 @@ + + #include + #include ++#include + + /* + * Memory management. +# HG changeset patch +# User Kirill Simonov +# Date 1391409843 21600 +# Node ID af3599437a87162554787c52d8b16eab553f537b +# Parent 0df2fb962294f3a6df1450a3e08c6a0f74f9078c +Forgot to set the error state. + +--- LibYAML/scanner.c ++++ LibYAML/scanner.c +@@ -1176,8 +1176,10 @@ + + /* Increase the flow level. */ + +- if (parser->flow_level == INT_MAX) ++ if (parser->flow_level == INT_MAX) { ++ parser->error = YAML_MEMORY_ERROR; + return 0; ++ } + + parser->flow_level++; + +@@ -1229,8 +1231,10 @@ + if (!PUSH(parser, parser->indents, parser->indent)) + return 0; + +- if (column > INT_MAX) ++ if (column > INT_MAX) { ++ parser->error = YAML_MEMORY_ERROR; + return 0; ++ } + + parser->indent = column; + +Description: CVE-2013-6393: yaml_stack_extend: guard against integer overflow + This is a hardening patch also from Florian Weimer + . It is not required to fix this CVE however it + improves the robustness of the code against future issues by avoiding + large node ID's in a central place. +Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076 +Last-Update: 2014-01-29 +--- +# HG changeset patch +# User Florian Weimer +# Date 1389274355 -3600 +# Thu Jan 09 14:32:35 2014 +0100 +# Node ID 034d7a91581ac930e5958683f1a06f41e96d24a2 +# Parent a54d7af707f25dc298a7be60fd152001d2b3035b +yaml_stack_extend: guard against integer overflow + +--- LibYAML/api.c ++++ LIBYAML/api.c +@@ -117,7 +117,12 @@ + YAML_DECLARE(int) + yaml_stack_extend(void **start, void **top, void **end) + { +- void *new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2); ++ void *new_start; ++ ++ if ((char *)*end - (char *)*start >= INT_MAX / 2) ++ return 0; ++ ++ new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2); + + if (!new_start) return 0; + +Description: CVE-2013-6393: yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow + This is a proposed patch from Florian Weimer for + the string overflow issue. It has been ack'd by upstream. +Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076 +Last-Update: 2014-01-29 +--- +# HG changeset patch +# User Florian Weimer +# Date 1389273500 -3600 +# Thu Jan 09 14:18:20 2014 +0100 +# Node ID a54d7af707f25dc298a7be60fd152001d2b3035b +# Parent 3e6507fa0c26d20c09f8f468f2bd04aa2fd1b5b5 +yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow + +--- LibYAML/scanner.c ++++ LibYAML/scanner.c +@@ -2621,7 +2621,7 @@ + + /* Resize the string to include the head. */ + +- while (string.end - string.start <= (int)length) { ++ while ((size_t)(string.end - string.start) <= length) { + if (!yaml_string_extend(&string.start, &string.pointer, &string.end)) { + parser->error = YAML_MEMORY_ERROR; + goto error; diff --git a/YAML-LibYAML-0.41-CVE-2014-2525.patch b/YAML-LibYAML-0.41-CVE-2014-2525.patch new file mode 100644 index 0000000..82b8b63 --- /dev/null +++ b/YAML-LibYAML-0.41-CVE-2014-2525.patch @@ -0,0 +1,38 @@ +Description: CVE-2014-2525: Fixes heap overflow in yaml_parser_scan_uri_escapes + The heap overflow is caused by not properly expanding a string before + writing to it in function yaml_parser_scan_uri_escapes in scanner.c. + +Origin: backport, https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048 +Author: Salvatore Bonaccorso +Last-Update: 2014-03-20 +Applied-Upstream: 0.1.6 + +--- LibYAML/scanner.c ++++ LibYAML/scanner.c +@@ -2619,6 +2619,9 @@ yaml_parser_scan_tag_uri(yaml_parser_t * + /* Check if it is a URI-escape sequence. */ + + if (CHECK(parser->buffer, '%')) { ++ if (!STRING_EXTEND(parser, string)) ++ goto error; ++ + if (!yaml_parser_scan_uri_escapes(parser, + directive, start_mark, &string)) goto error; + } +--- LibYAML/yaml_private.h ++++ LibYAML/yaml_private.h +@@ -132,9 +132,12 @@ yaml_string_join( + (string).start = (string).pointer = (string).end = 0) + + #define STRING_EXTEND(context,string) \ +- (((string).pointer+5 < (string).end) \ ++ ((((string).pointer+5 < (string).end) \ + || yaml_string_extend(&(string).start, \ +- &(string).pointer, &(string).end)) ++ &(string).pointer, &(string).end)) ? \ ++ 1 : \ ++ ((context)->error = YAML_MEMORY_ERROR, \ ++ 0)) + + #define CLEAR(context,string) \ + ((string).pointer = (string).start, \ diff --git a/perl-YAML-LibYAML.spec b/perl-YAML-LibYAML.spec index 86c8b70..0d09fee 100644 --- a/perl-YAML-LibYAML.spec +++ b/perl-YAML-LibYAML.spec @@ -1,12 +1,14 @@ Name: perl-YAML-LibYAML Version: 0.41 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Perl YAML Serialization using XS and libyaml License: GPL+ or Artistic Group: Development/Libraries URL: http://search.cpan.org/dist/YAML-LibYAML/ Source0: http://search.cpan.org/CPAN/authors/id/I/IN/INGY/YAML-LibYAML-%{version}.tar.gz Patch0: YAML-LibYAML-0.35-format-error.patch +Patch1: YAML-LibYAML-0.41-CVE-2014-2525.patch +Patch2: YAML-LibYAML-0.41-CVE-2013-6393.patch # Install BuildRequires: perl(Cwd) @@ -50,6 +52,12 @@ bound to Python and was later bound to Ruby. # Fix format string vulnerabilities (CVE-2012-1152, CPAN RT#46507) %patch0 -p1 +# Fix LibYAML input sanitization errors (CVE-2014-2525) +%patch1 + +# Fix heap-based buffer overflow when parsing YAML tags (CVE-2013-6393) +%patch2 + %build perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}" make %{?_smp_mflags} @@ -71,6 +79,10 @@ make test %{_mandir}/man3/YAML::XS::LibYAML.3pm* %changelog +* Thu Mar 27 2014 Paul Howarth - 0.41-4 +- Fix LibYAML input sanitization errors (CVE-2014-2525) +- Fix heap-based buffer overflow when parsing YAML tags (CVE-2013-6393) + * Sun Aug 04 2013 Fedora Release Engineering - 0.41-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild