oss-sec mailing list archives
Re: libyaml / YAML-LibYAML DoS
From: Ingy dot Net <ingy () ingy net>
Date: Fri, 28 Nov 2014 13:01:59 -0800
Hi Ian, I was not aware that Aaron (cc'd) had taken on maintaining libyaml. I would be excited if that were the case. Aaron and I are neighbors, friends and have worked on libyaml together in the past. Last I checked, Kirill is maintaining libyaml. The canonical repo is https://bitbucket.org/xi/libyaml and all the commits there are from Kirill. I've been under the impression for some years that Kirill does not actively work on libyaml, but he has always applied security patches as needed. I started the GitHub 'yaml' organization a few years ago, and among other things it contains a git based 'mirror' of the canonical mercurial repo. I'm the author/maintainer of the Perl binding to libyaml. In this case, I verified the issue, patched/released the Perl binding, and pushed the patch to the GitHub copy. Going forward, I think it would be best if Aaron and I comaintained libyaml, but only if Kirill and Aaron want that. I am interested in getting libyaml up to YAML 1.2 ad continuing towards a YAML 2.0. I trust Aaron's skills, and am willing to work with him on (YAML) language guidance. cc'ing Oren and Clark. Cheers, Ingy On Fri, Nov 28, 2014 at 9:42 AM, Ian Cordasco <graffatcolmingov () gmail com> wrote:
On Fri, Nov 28, 2014 at 11:36 AM, Ingy dot Net <ingy () ingy net> wrote:I have fixed this by commenting out the assert. This makes the parserfailas it should. I've pushed the patch to the git-hub mirror of libyaml: https://github.com/yaml/libyaml I've added a test to https://metacpan.org/release/YAML-LibYAML andreleasedversion 0.53. Ingy PS Here is the Perl minimum test case, with the patched behavior: $ perl -MYAML::XS -e 'Load qq! x: "\n"x!' YAML::XS::Load Error: The problem: did not find expected key was found at document: 1, line: 2, column: 2 while parsing a block mapping at line: 1, column: 2 On Fri, Nov 28, 2014 at 7:45 AM, Ingy dot Net <ingy () ingy net> wrote:Taking a look at this now. Please let me know if you've already found a patch. Ingy On Fri, Nov 28, 2014 at 2:20 AM, John Haxby <john.haxby () oracle com>wrote:On 28/11/14 05:57, Jonathan Gray wrote:libyaml and the perl YAML-LibYAML (aka YAML-XS) module based on the same code have an "impossible" assert that can be triggered with the following yaml. This is a reduced testcase of a crash found with the afl fuzzer. a: " " b: true In other words a crash/denial of service with untrusted yaml input. The libyaml author was contacted on the 21st and 27th of November. No response has been received but the issue has independently been reported publically since:https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure[1] Parsing 'test.yaml': assertion "parser->simple_key_allowed ||!required" failed: file "scanner.c", line 1113, function "yaml_parser_save_simple_key"assert(parser->simple_key_allowed || !required); /* Impossible. */For what it's worth PyYAML 3.10 and 3.11 have exactly the sameassertion:import yaml yaml.load("""... abc: ... def: 'xxx ... ' ghi: 'yyy' ... """) Traceback (most recent call last): [...] assert self.allow_simple_key or not required AssertionError jchI could be mistaken but I thought Aaron Patterson had taken responsibility for maintaining libyaml. Did you attempt contacting anyone involved in the YAML organization on GitHub?
Current thread:
- libyaml / YAML-LibYAML DoS Jonathan Gray (Nov 27)
- Re: libyaml / YAML-LibYAML DoS John Haxby (Nov 28)
- Re: libyaml / YAML-LibYAML DoS Ingy dot Net (Nov 28)
- Re: libyaml / YAML-LibYAML DoS Ingy dot Net (Nov 28)
- Re: libyaml / YAML-LibYAML DoS Ian Cordasco (Nov 28)
- Re: libyaml / YAML-LibYAML DoS Ingy dot Net (Nov 28)
- Re: libyaml / YAML-LibYAML DoS Ingy dot Net (Nov 28)
- Re: libyaml / YAML-LibYAML DoS John Haxby (Nov 28)
- Re: Re: libyaml / YAML-LibYAML DoS Dāvis Mosāns (Nov 28)
- Re: Re: libyaml / YAML-LibYAML DoS Jonathan Gray (Nov 28)