Bug 12583

Summary: libyaml new security issue CVE-2013-6393
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: paul.blackburn, stormi-mageia, sysadmin-bugs, thomas, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/583997/
Whiteboard: MGA3TOO advisory has_procedure MGA3-32-OK MGA4-32-OK MGA3-64-OK MGA4-64-OK
Source RPM: yaml-0.1.4-6.mga3.src.rpm CVE:
Status comment:

Description David Walser 2014-02-04 22:21:53 CET
Debian has issued an advisory on January 31:
http://www.debian.org/security/2014/dsa-2850

They have patches, as does RedHat in their bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1033990

which also indicates that these issues are fixed upstream in 0.1.5.

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-02-04 22:22:00 CET

Whiteboard: (none) => MGA4TOO, MGA3TOO

Thomas Spuhler 2014-02-05 17:52:14 CET

Status: NEW => ASSIGNED

Comment 1 Thomas Spuhler 2014-02-05 18:27:13 CET
I have uploaded an updated package for Mageia 3/ Mageia 4 and Cauldron.

Advisory:
========================

Updated yaml packages fix security vulnerabilities (CVE-2013-6393):
These are the affected packages:
yaml-0.1.5-1.mga(x).src.rpm
lib64yaml0_2-0.1.5-1.mga
lib64yaml-devel-0.1.5-1.mga
yaml-debuginfo-0.1.5-1.mga

Assignee: thomas => qa-bugs

Comment 2 David Walser 2014-02-05 18:41:39 CET
Thanks Thomas!

Here's the full advisory.

Advisory:
========================

Updated libyaml packages fix security vulnerabilities:

Florian Weimer of the Red Hat Product Security Team discovered a heap-based
buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library.
A remote attacker could provide a YAML document with a specially-crafted tag
that, when parsed by an application using libyaml, would cause the application
to crash or, potentially, execute arbitrary code with the privileges of the
user running the application (CVE-2013-6393).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6393
http://www.debian.org/security/2014/dsa-2850
========================

Updated packages in core/updates_testing:
========================
libyaml0_2-0.1.5-1.mga3
libyaml-devel-0.1.5-1.mga3
yaml-debuginfo-0.1.5-1.mga3
libyaml0_2-0.1.5-1.mga4
libyaml-devel-0.1.5-1.mga4
yaml-debuginfo-0.1.5-1.mga4

from SRPMS:
yaml-0.1.5-1.mga3.src.rpm
yaml-0.1.5-1.mga4.src.rpm

CC: (none) => thomas
Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 3 Samuel Verschelde 2014-02-06 12:49:41 CET
libyaml0_2 is used in:

php-yaml
python-yaml
suricata

which in turn are required by:

openerp-server
python-nltk
unknown-horizons
w3af
w3af-gui
weboob

---

Testing mga3 32 bits with php-yaml and php-cli and the example from http://www.php.net/manual/en/yaml.examples.php (put it in a test.php file beginning with "<?php" and execute with "php test.php")

CC: (none) => stormi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 4 Samuel Verschelde 2014-02-06 13:00:55 CET
(In reply to Samuel VERSCHELDE from comment #3)
> libyaml0_2 is used in:
> 
> php-yaml
> python-yaml
> suricata
> 
> which in turn are required by:
> 
> openerp-server
> python-nltk
> unknown-horizons
> w3af
> w3af-gui
> weboob
> 

This list is wrong, I made it from mga2. Actual list is far bigger. Get it with: urpmq --whatrequires-recursive libyaml0_2.
Comment 5 Samuel Verschelde 2014-02-06 13:04:13 CET
Testing complete mga3 32 and mga4 32 using example from comment #3

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK

Comment 6 Paul Blackburn 2014-02-07 16:36:39 CET
starting test on mga3 64

CC: (none) => paul.blackburn

Comment 7 Paul Blackburn 2014-02-07 17:34:17 CET
On Mageia 3 x86_64:

Step-1:
Installed updates_testing version of Libyaml with:
urpmi rsync://distrib-coffee.ipsl.jussieu.fr::mageia/distrib/3/x86_64/media/core/updates_testing/lib64yaml0_2-0.1.5-1.mga3.x86_64.rpm

Step-2:
Installed 
urpmi php-yaml php-cli

Step-3:
Created "test.php" from example at http://www.php.net/manual/en/yaml.examples.php

Step-4:
Ran test: php test.php

Step-5:
Compared output from step-4 (above) with output shown at:
http://www.php.net/manual/en/yaml.examples.php

Step-5: confirmed test output same as on example page (step-5).
Samuel Verschelde 2014-02-07 17:35:50 CET

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA3-64-OK

Comment 8 Paul Blackburn 2014-02-07 17:57:00 CET
starting test on mga4 64
Comment 9 Paul Blackburn 2014-02-07 18:14:09 CET
On Mageia 4 x86_64:

Step-1:
Installed updates_testing version of Libyaml with:
urpmi rsync://distrib-coffee.ipsl.jussieu.fr::mageia/distrib/4/x86_64/media/core/updates_testing/lib64yaml0_2-0.1.5-1.mga4.x86_64.rpm

Steps 2,3,4,5 same as in comment 7 (above).

Step-6: confirmed test output same as on example page (step-5).
Samuel Verschelde 2014-02-07 19:34:05 CET

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA3-64-OK MGA4-64-OK

Comment 10 claire robinson 2014-02-08 16:38:10 CET
Advisory uploaded. Validating.

Could sysadmin please push from 3&4 core/updates_testing to updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

claire robinson 2014-02-08 16:46:15 CET

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA3-64-OK MGA4-64-OK => MGA3TOO advisory has_procedure MGA3-32-OK MGA4-32-OK MGA3-64-OK MGA4-64-OK

Comment 11 Thomas Backlund 2014-02-08 20:34:37 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0040.html

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED