LibYAML 0.1.5 Buffer Overflow

2014.03.29
Credit: Ivan Fratric
Risk: High
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#2014-003 LibYAML input sanitization errors Description: The LibYAML project is an open source YAML 1.1 parser and emitter written in C. The library is affected by a heap-based buffer overflow which can lead to arbitrary code execution. The vulnerability is caused by lack of proper expansion for the string passed to the yaml_parser_scan_uri_escapes() function. A specially crafted YAML file, with a long sequence of percent-encoded characters in a URL, can be used to trigger the overflow. Affected version: LibYAML <= 0.1.5 Fixed version: LibYAML >= 0.1.6 Credit: vulnerability report received from Ivan Fratric of the Google Security Team. CVE: CVE-2014-2525 Timeline: 2014-03-11: vulnerability report received 2014-03-14: maintainer provides patch for review 2014-03-17: reporter confirms patch 2014-03-17: disclosure coordinated on 2014-03-26 2014-03-18: contacted affected vendors 2014-03-18: assigned CVE 2014-03-26: LibYAML 0.1.6 released 2014-03-26: advisory release References: http://pyyaml.org/wiki/LibYAML https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048 Permalink: http://www.ocert.org/advisories/ocert-2014-003.html -- Andrea Barisani | Founder & Project Coordinator oCERT | OSS Computer Security Incident Response Team <lcars@ocert.org> http://www.ocert.org 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate"

References:

http://cxsecurity.com/issue/WLB-2014020069
http://pyyaml.org/wiki/LibYAML
https://bitbucket.org/xi/libyaml/commits/bce8b60f0b9af69fa9fab3093d0a41ba243de048


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top