Bug 14689

Summary: yaml and perl-YAML-LibYAML new security issue CVE-2014-9130
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: mageia, olchal, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/624807/
Whiteboard: has_procedure advisory MGA4-64-OK MGA4-32-OK
Source RPM: yaml-0.1.6-1.mga4.src.rpm, perl-YAML-LibYAML-0.410.0-2.2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-11-29 17:57:51 CET 
A CVE has been assigned for an assertion left in the yaml code:
http://openwall.com/lists/oss-security/2014/11/28/8

This code is also in perl-YAML-LibYAML, and this was fixed in 0.53:
http://openwall.com/lists/oss-security/2014/11/28/6

There is also a PoC for the perl module in that message, showing the expected output with the fixed version.  With the assertion still in the code, the output is this:
$ perl -MYAML::XS -e 'Load qq! x: "\n"x!'
perl: scanner.c:1113: yaml_parser_save_simple_key: Assertion `parser->simple_key_allowed || !required' failed.
Aborted

For yaml itself, it has been fixed in git upstream, but no new release yet:
http://openwall.com/lists/oss-security/2014/11/29/3

I've submitted with the patch for yaml in Cauldron and added the patch in SVN for Mageia 4.

For perl-YAML-LibYAML, it still needs to be fixed in both Mageia 4 and Cauldron.

Reproducible: 

Steps to Reproduce:
David Walser 2014-11-29 17:58:10 CET

Whiteboard: (none) => MGA4TOO
CC: (none) => mageia

Comment 1 Sander Lepik 2014-12-03 16:50:20 CET 
So, update for perl-YAML-LibYAML on cauldron is waiting for someone to submit it and I submitted patched package for Mageia 4.

As with another perl package some time ago I first added test, build failed and I then added fix.

How to test:

0. Install perl-YAML-LibYAML
1. Run this command:
   $ perl -MYAML::XS -e 'Load qq! x: "\n"x!'
   perl: scanner.c:1113: yaml_parser_save_simple_key: Assertion `parser->simple_key_allowed || !required' failed.
   Aborted
2. Install perl-YAML-LibYAML from updates_testing
3. Run the same command again:
   $ perl -MYAML::XS -e 'Load qq! x: "\n"x!'
   YAML::XS::Load Error: The problem:

       did not find expected key

   was found at document: 1, line: 2, column: 2
   while parsing a block mapping at line: 1, column: 2

Hardware: i586 => All

Comment 2 David Walser 2014-12-03 17:43:23 CET 
Thanks Sander!  I pushed the patched yaml packaged for Mageia 4 as well.

Assigning to QA.

Advisory:
========================

Updated yaml and perl-YAML-LibYAML packages fix security vulnerability:

An assertion failure was found in the way the libyaml library parsed wrapped
strings. An attacker able to load specially crafted YAML input into an
application using libyaml could cause the application to crash
(CVE-2014-9130).

The perl-YAML-LibYAML package is also affected, as it was derived from the
same code.  Both have been patched to fix this issue.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9130
https://bugzilla.redhat.com/show_bug.cgi?id=1169369
========================

Updated packages in core/updates_testing:
========================
libyaml0_2-0.1.6-1.1.mga4
libyaml-devel-0.1.6-1.1.mga4
perl-YAML-LibYAML-0.410.0-2.3.mga4

from SRPMS:
yaml-0.1.6-1.1.mga4.src.rpm
perl-YAML-LibYAML-0.410.0-2.3.mga4.src.rpm

Severity: normal => major
Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO => (none)

Comment 3 olivier charles 2014-12-03 19:02:01 CET 
Testing on Mageia4x64 real hardware :

Current packages :
----------------

- libyaml-devel-0.1.5-1.mga4.i586
- libyaml0_2-0.1.5-1.mga4.i586
- perl-YAML-LibYAML-0.410.0-2.2.mga4.x86_64

Poc :
- - -
$ perl -MYAML::XS -e 'Load qq! x: "\n"x!'
perl: scanner.c :1113 : yaml_parser_save_simple_key:  l'assertion « parser->simple_key_allowed || !required » a échoué.
Abandon

Updated testing packages :
------------------------
- libyaml-devel-0.1.6-1.mga4.i586
- libyaml0_2-0.1.6-1.mga4.i586
- perl-YAML-LibYAML-0.410.0-2.3.mga4.x86_64

PoC :
- - -
$ perl -MYAML::XS -e 'Load qq! x: "\n"x!'
YAML::XS::Load Error: The problem:

    did not find expected key

was found at document: 1, line: 2, column: 2
while parsing a block mapping at line: 1, column: 2

Small test :
- - - - - -
Wrote a YAML config file named config.yaml:

---
Distribution: Mageia
Version: 4
Desktop: 
    - KDE
    - GNOME
Format:
    live: 
    - CD
    - DVD
    classical:
    - 32 bits
    - 64 bits

Wrote a perl script to use it (testyaml.pl)

#!/usr/bin/perl

use strict;
use warnings;
use YAML::XS qw/LoadFile/;
use Data::Dumper;
    
my $config = LoadFile('config.yaml');

print Dumper($config);

Tested it :
$ perl testyaml.pl

Worked OK and assertion failure fixed.

Whiteboard: (none) => MGA4-64-OK
CC: (none) => olchal

Comment 4 David Walser 2014-12-03 19:04:17 CET 
If you could make a python, php, or ruby version of the YAML tests, those would use libyaml.
Comment 5 olivier charles 2014-12-03 19:30:12 CET 
Installing:
 - python-yaml-3.10-5.mga4.x86_64

testyaml.py :

#!/usr/bin/python

import yaml

mydata = {'Distribution' : 'Mageia',
	  'Version' : '4',
	  'Desktop' : ['KDE','Gnome'],
	  'Format' : ['CD','DVD']}

print yaml.dump(mydata)


$ python testyaml.py

Works OK
Comment 6 claire robinson 2014-12-03 19:50:09 CET 
Good work Olivier

Whiteboard: MGA4-64-OK => has_procedure MGA4-64-OK

Comment 7 claire robinson 2014-12-03 19:54:35 CET 
You can show libyaml is used too..

# urpmq --requires python-yaml | grep libyaml
libyaml-0.so.2()(64bit)
Comment 8 olivier charles 2014-12-03 20:16:59 CET 
# urpmq --requires python-yaml | grep libyaml
--requires behaviour changed, use --requires-recursive to get the old behaviour
libyaml-0.so.2()(64bit)

Small ruby test I wrote (testyaml.rb):

#!/usr/bin/env ruby

require 'yaml'

data = {"Distribution" => "cauldron"}
File.open("test.yaml", "w") {|f| f.write(data.to_yaml) }

$ ruby testyaml.rb
Creates a file named test.yaml in yaml format.

I don't know how to make a php test.
Comment 9 David Walser 2014-12-03 20:20:07 CET 
yaml_parse or yaml_parse_file can be used:
http://php.net/manual/en/book.yaml.php
Comment 10 David Walser 2014-12-03 20:26:05 CET 
test.php:
<?php
yaml_parse(" x: \"\n\"x")
?>

Before the update "php test.php" gives:
php: scanner.c:1113: yaml_parser_save_simple_key: Assertion `parser->simple_key_allowed || !required' failed.
Aborted

After the update gives:
PHP Warning: yaml_parse(): parsing error encountered during parsing: did not find expected key (line 2, column 2), context while parsing a block mapping (line 1, column 2) in /tmp/test.php on line 2

The perl test worked out as documented above for me too, Mageia 4 i586.

Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 11 claire robinson 2014-12-04 09:39:55 CET 
Validating. Advisory uploaded.

Please push to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2014-12-05 16:54:50 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0508.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-12-05 18:15:08 CET

URL: (none) => http://lwn.net/Vulnerabilities/624807/