A CVE has been assigned for an assertion left in the yaml code: http://openwall.com/lists/oss-security/2014/11/28/8 This code is also in perl-YAML-LibYAML, and this was fixed in 0.53: http://openwall.com/lists/oss-security/2014/11/28/6 There is also a PoC for the perl module in that message, showing the expected output with the fixed version. With the assertion still in the code, the output is this: $ perl -MYAML::XS -e 'Load qq! x: "\n"x!' perl: scanner.c:1113: yaml_parser_save_simple_key: Assertion `parser->simple_key_allowed || !required' failed. Aborted For yaml itself, it has been fixed in git upstream, but no new release yet: http://openwall.com/lists/oss-security/2014/11/29/3 I've submitted with the patch for yaml in Cauldron and added the patch in SVN for Mageia 4. For perl-YAML-LibYAML, it still needs to be fixed in both Mageia 4 and Cauldron. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOOCC: (none) => mageia
So, update for perl-YAML-LibYAML on cauldron is waiting for someone to submit it and I submitted patched package for Mageia 4. As with another perl package some time ago I first added test, build failed and I then added fix. How to test: 0. Install perl-YAML-LibYAML 1. Run this command: $ perl -MYAML::XS -e 'Load qq! x: "\n"x!' perl: scanner.c:1113: yaml_parser_save_simple_key: Assertion `parser->simple_key_allowed || !required' failed. Aborted 2. Install perl-YAML-LibYAML from updates_testing 3. Run the same command again: $ perl -MYAML::XS -e 'Load qq! x: "\n"x!' YAML::XS::Load Error: The problem: did not find expected key was found at document: 1, line: 2, column: 2 while parsing a block mapping at line: 1, column: 2
Hardware: i586 => All
Thanks Sander! I pushed the patched yaml packaged for Mageia 4 as well. Assigning to QA. Advisory: ======================== Updated yaml and perl-YAML-LibYAML packages fix security vulnerability: An assertion failure was found in the way the libyaml library parsed wrapped strings. An attacker able to load specially crafted YAML input into an application using libyaml could cause the application to crash (CVE-2014-9130). The perl-YAML-LibYAML package is also affected, as it was derived from the same code. Both have been patched to fix this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9130 https://bugzilla.redhat.com/show_bug.cgi?id=1169369 ======================== Updated packages in core/updates_testing: ======================== libyaml0_2-0.1.6-1.1.mga4 libyaml-devel-0.1.6-1.1.mga4 perl-YAML-LibYAML-0.410.0-2.3.mga4 from SRPMS: yaml-0.1.6-1.1.mga4.src.rpm perl-YAML-LibYAML-0.410.0-2.3.mga4.src.rpm
Severity: normal => majorVersion: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO => (none)
Testing on Mageia4x64 real hardware : Current packages : ---------------- - libyaml-devel-0.1.5-1.mga4.i586 - libyaml0_2-0.1.5-1.mga4.i586 - perl-YAML-LibYAML-0.410.0-2.2.mga4.x86_64 Poc : - - - $ perl -MYAML::XS -e 'Load qq! x: "\n"x!' perl: scanner.c :1113 : yaml_parser_save_simple_key: l'assertion « parser->simple_key_allowed || !required » a échoué. Abandon Updated testing packages : ------------------------ - libyaml-devel-0.1.6-1.mga4.i586 - libyaml0_2-0.1.6-1.mga4.i586 - perl-YAML-LibYAML-0.410.0-2.3.mga4.x86_64 PoC : - - - $ perl -MYAML::XS -e 'Load qq! x: "\n"x!' YAML::XS::Load Error: The problem: did not find expected key was found at document: 1, line: 2, column: 2 while parsing a block mapping at line: 1, column: 2 Small test : - - - - - - Wrote a YAML config file named config.yaml: --- Distribution: Mageia Version: 4 Desktop: - KDE - GNOME Format: live: - CD - DVD classical: - 32 bits - 64 bits Wrote a perl script to use it (testyaml.pl) #!/usr/bin/perl use strict; use warnings; use YAML::XS qw/LoadFile/; use Data::Dumper; my $config = LoadFile('config.yaml'); print Dumper($config); Tested it : $ perl testyaml.pl Worked OK and assertion failure fixed.
Whiteboard: (none) => MGA4-64-OKCC: (none) => olchal
If you could make a python, php, or ruby version of the YAML tests, those would use libyaml.
Installing: - python-yaml-3.10-5.mga4.x86_64 testyaml.py : #!/usr/bin/python import yaml mydata = {'Distribution' : 'Mageia', 'Version' : '4', 'Desktop' : ['KDE','Gnome'], 'Format' : ['CD','DVD']} print yaml.dump(mydata) $ python testyaml.py Works OK
Good work Olivier
Whiteboard: MGA4-64-OK => has_procedure MGA4-64-OK
You can show libyaml is used too.. # urpmq --requires python-yaml | grep libyaml libyaml-0.so.2()(64bit)
# urpmq --requires python-yaml | grep libyaml --requires behaviour changed, use --requires-recursive to get the old behaviour libyaml-0.so.2()(64bit) Small ruby test I wrote (testyaml.rb): #!/usr/bin/env ruby require 'yaml' data = {"Distribution" => "cauldron"} File.open("test.yaml", "w") {|f| f.write(data.to_yaml) } $ ruby testyaml.rb Creates a file named test.yaml in yaml format. I don't know how to make a php test.
yaml_parse or yaml_parse_file can be used: http://php.net/manual/en/book.yaml.php
test.php: <?php yaml_parse(" x: \"\n\"x") ?> Before the update "php test.php" gives: php: scanner.c:1113: yaml_parser_save_simple_key: Assertion `parser->simple_key_allowed || !required' failed. Aborted After the update gives: PHP Warning: yaml_parse(): parsing error encountered during parsing: did not find expected key (line 2, column 2), context while parsing a block mapping (line 1, column 2) in /tmp/test.php on line 2 The perl test worked out as documented above for me too, Mageia 4 i586.
Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK
Validating. Advisory uploaded. Please push to updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0508.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/624807/