rpms/perl-YAML-LibYAML
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Add fixes for CVE-2013-6393 and CVE-2014-2525

Browse Source 
- Fix LibYAML input sanitization errors (CVE-2014-2525)
- Fix heap-based buffer overflow when parsing YAML tags (CVE-2013-6393)
This commit is contained in:
Paul Howarth 2014-03-27 13:52:30 +00:00
parent 3e843d9036
commit da43da31bb
3 changed files with 228 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

177
YAML-LibYAML-0.41-CVE-2013-6393.patch Normal file
View File

@ -0,0 +1,177 @@
# HG changeset patch
# User Kirill Simonov <xi@resolvent.net>
# Date 1391406104 21600
# Node ID f859ed1eb757a3562b98a28a8ce69274bfd4b3f2
# Parent da9bc6f12781a583076c7b60d057df5d7b50f96f
Guard against overflows in indent and flow_level.
--- LibYAML/scanner.c
+++ LibYAML/scanner.c
@@ -615,11 +615,11 @@
*/
static int
-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
- int number, yaml_token_type_t type, yaml_mark_t mark);
+yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column,
+ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark);
static int
-yaml_parser_unroll_indent(yaml_parser_t *parser, int column);
+yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column);
/*
* Token fetchers.
@@ -1103,7 +1103,7 @@
*/
int required = (!parser->flow_level
- && parser->indent == (int)parser->mark.column);
+ && parser->indent == (ptrdiff_t)parser->mark.column);
/*
* A simple key is required only when it is the first token in the current
@@ -1176,6 +1176,9 @@
/* Increase the flow level. */
+ if (parser->flow_level == INT_MAX)
+ return 0;
+
parser->flow_level++;
return 1;
@@ -1206,8 +1209,8 @@
*/
static int
-yaml_parser_roll_indent(yaml_parser_t *parser, int column,
- int number, yaml_token_type_t type, yaml_mark_t mark)
+yaml_parser_roll_indent(yaml_parser_t *parser, ptrdiff_t column,
+ ptrdiff_t number, yaml_token_type_t type, yaml_mark_t mark)
{
yaml_token_t token;
@@ -1226,6 +1229,9 @@
if (!PUSH(parser, parser->indents, parser->indent))
return 0;
+ if (column > INT_MAX)
+ return 0;
+
parser->indent = column;
/* Create a token and insert it into the queue. */
@@ -1254,7 +1260,7 @@
static int
-yaml_parser_unroll_indent(yaml_parser_t *parser, int column)
+yaml_parser_unroll_indent(yaml_parser_t *parser, ptrdiff_t column)
{
yaml_token_t token;
--- LibYAML/yaml_private.h
+++ LibYAML/yaml_private.h
@@ -7,6 +7,7 @@
#include <assert.h>
#include <limits.h>
+#include <stddef.h>
/*
* Memory management.
# HG changeset patch
# User Kirill Simonov <xi@resolvent.net>
# Date 1391409843 21600
# Node ID af3599437a87162554787c52d8b16eab553f537b
# Parent 0df2fb962294f3a6df1450a3e08c6a0f74f9078c
Forgot to set the error state.
--- LibYAML/scanner.c
+++ LibYAML/scanner.c
@@ -1176,8 +1176,10 @@
/* Increase the flow level. */
- if (parser->flow_level == INT_MAX)
+ if (parser->flow_level == INT_MAX) {
+ parser->error = YAML_MEMORY_ERROR;
return 0;
+ }
parser->flow_level++;
@@ -1229,8 +1231,10 @@
if (!PUSH(parser, parser->indents, parser->indent))
return 0;
- if (column > INT_MAX)
+ if (column > INT_MAX) {
+ parser->error = YAML_MEMORY_ERROR;
return 0;
+ }
parser->indent = column;
Description: CVE-2013-6393: yaml_stack_extend: guard against integer overflow
This is a hardening patch also from Florian Weimer
<fweimer@redhat.com>. It is not required to fix this CVE however it
improves the robustness of the code against future issues by avoiding
large node ID's in a central place.
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076
Last-Update: 2014-01-29
---
# HG changeset patch
# User Florian Weimer <fweimer@redhat.com>
# Date 1389274355 -3600
# Thu Jan 09 14:32:35 2014 +0100
# Node ID 034d7a91581ac930e5958683f1a06f41e96d24a2
# Parent a54d7af707f25dc298a7be60fd152001d2b3035b
yaml_stack_extend: guard against integer overflow
--- LibYAML/api.c
+++ LIBYAML/api.c
@@ -117,7 +117,12 @@
YAML_DECLARE(int)
yaml_stack_extend(void **start, void **top, void **end)
{
- void *new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2);
+ void *new_start;
+
+ if ((char *)*end - (char *)*start >= INT_MAX / 2)
+ return 0;
+
+ new_start = yaml_realloc(*start, ((char *)*end - (char *)*start)*2);
if (!new_start) return 0;
Description: CVE-2013-6393: yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow
This is a proposed patch from Florian Weimer <fweimer@redhat.com> for
the string overflow issue. It has been ack'd by upstream.
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1033990
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737076
Last-Update: 2014-01-29
---
# HG changeset patch
# User Florian Weimer <fweimer@redhat.com>
# Date 1389273500 -3600
# Thu Jan 09 14:18:20 2014 +0100
# Node ID a54d7af707f25dc298a7be60fd152001d2b3035b
# Parent 3e6507fa0c26d20c09f8f468f2bd04aa2fd1b5b5
yaml_parser_scan_tag_uri: fix int overflow leading to buffer overflow
--- LibYAML/scanner.c
+++ LibYAML/scanner.c
@@ -2621,7 +2621,7 @@
/* Resize the string to include the head. */
- while (string.end - string.start <= (int)length) {
+ while ((size_t)(string.end - string.start) <= length) {
if (!yaml_string_extend(&string.start, &string.pointer, &string.end)) {
parser->error = YAML_MEMORY_ERROR;
goto error;

38
YAML-LibYAML-0.41-CVE-2014-2525.patch Normal file
View File

@ -0,0 +1,38 @@
Description: CVE-2014-2525: Fixes heap overflow in yaml_parser_scan_uri_escapes
The heap overflow is caused by not properly expanding a string before
writing to it in function yaml_parser_scan_uri_escapes in scanner.c.
Origin: backport, https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2014-03-20
Applied-Upstream: 0.1.6
--- LibYAML/scanner.c
+++ LibYAML/scanner.c
@@ -2619,6 +2619,9 @@ yaml_parser_scan_tag_uri(yaml_parser_t *
/* Check if it is a URI-escape sequence. */
if (CHECK(parser->buffer, '%')) {
+ if (!STRING_EXTEND(parser, string))
+ goto error;
+
if (!yaml_parser_scan_uri_escapes(parser,
directive, start_mark, &string)) goto error;
}
--- LibYAML/yaml_private.h
+++ LibYAML/yaml_private.h
@@ -132,9 +132,12 @@ yaml_string_join(
(string).start = (string).pointer = (string).end = 0)
#define STRING_EXTEND(context,string) \
- (((string).pointer+5 < (string).end) \
+ ((((string).pointer+5 < (string).end) \
|| yaml_string_extend(&(string).start, \
- &(string).pointer, &(string).end))
+ &(string).pointer, &(string).end)) ? \
+ 1 : \
+ ((context)->error = YAML_MEMORY_ERROR, \
+ 0))
#define CLEAR(context,string) \
((string).pointer = (string).start, \

14
perl-YAML-LibYAML.spec
View File

@ -1,12 +1,14 @@
Name: perl-YAML-LibYAML
Version: 0.41
Release: 3%{?dist}
Release: 4%{?dist}
Summary: Perl YAML Serialization using XS and libyaml
License: GPL+ or Artistic
Group: Development/Libraries
URL: http://search.cpan.org/dist/YAML-LibYAML/
Source0: http://search.cpan.org/CPAN/authors/id/I/IN/INGY/YAML-LibYAML-%{version}.tar.gz
Patch0: YAML-LibYAML-0.35-format-error.patch
Patch1: YAML-LibYAML-0.41-CVE-2014-2525.patch
Patch2: YAML-LibYAML-0.41-CVE-2013-6393.patch
# Install
BuildRequires: perl(Cwd)
@ -50,6 +52,12 @@ bound to Python and was later bound to Ruby.
# Fix format string vulnerabilities (CVE-2012-1152, CPAN RT#46507)
%patch0 -p1
# Fix LibYAML input sanitization errors (CVE-2014-2525)
%patch1
# Fix heap-based buffer overflow when parsing YAML tags (CVE-2013-6393)
%patch2
%build
perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}"
make %{?_smp_mflags}
@ -71,6 +79,10 @@ make test
%{_mandir}/man3/YAML::XS::LibYAML.3pm*
%changelog
* Thu Mar 27 2014 Paul Howarth <paul@city-fan.org> - 0.41-4
- Fix LibYAML input sanitization errors (CVE-2014-2525)
- Fix heap-based buffer overflow when parsing YAML tags (CVE-2013-6393)
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.41-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild