Re: libyaml / YAML-LibYAML DoS

[Ingy dot Net <ingy () ingy net>]

Hi Ian,

I was not aware that Aaron (cc'd) had taken on maintaining libyaml. I would
be excited if that were the case. Aaron and I are neighbors, friends and
have worked on libyaml together in the past.

Last I checked, Kirill is maintaining libyaml. The canonical repo is
https://bitbucket.org/xi/libyaml and all the commits there are from Kirill.
I've been under the impression for some years that Kirill does not actively
work on libyaml, but he has always applied security patches as needed.

I started the GitHub 'yaml' organization a few years ago, and among other
things it contains a git based 'mirror' of the canonical mercurial repo.

I'm the author/maintainer of the Perl binding to libyaml. In this case, I
verified the issue, patched/released the Perl binding, and pushed the patch
to the GitHub copy.

Going forward, I think it would be best if Aaron and I comaintained
libyaml, but only if Kirill and Aaron want that.

I am interested in getting libyaml up to YAML 1.2 ad continuing towards a
YAML 2.0. I trust Aaron's skills, and am willing to work with him on (YAML)
language guidance.

cc'ing Oren and Clark.

Cheers, Ingy

On Fri, Nov 28, 2014 at 9:42 AM, Ian Cordasco <graffatcolmingov () gmail com>
wrote:

> On Fri, Nov 28, 2014 at 11:36 AM, Ingy dot Net <ingy () ingy net> wrote:
> > I have fixed this by commenting out the assert. This makes the parser
> fail
> > as it should.
> >
> > I've pushed the patch to the git-hub mirror of libyaml:
> > https://github.com/yaml/libyaml
> >
> > I've added a test to https://metacpan.org/release/YAML-LibYAML and
> released
> > version 0.53.
> >
> > Ingy
> >
> > PS Here is the Perl minimum test case, with the patched behavior:
> >
> >  $ perl -MYAML::XS -e 'Load qq! x: "\n"x!'
> > YAML::XS::Load Error: The problem:
> >
> >     did not find expected key
> >
> > was found at document: 1, line: 2, column: 2
> > while parsing a block mapping at line: 1, column: 2
> >
> >
> > On Fri, Nov 28, 2014 at 7:45 AM, Ingy dot Net <ingy () ingy net> wrote:
> >
> > > Taking a look at this now. Please let me know if you've already found a
> > > patch.
> > >
> > > Ingy
> > >
> > > On Fri, Nov 28, 2014 at 2:20 AM, John Haxby <john.haxby () oracle com>
> wrote:
> > > > On 28/11/14 05:57, Jonathan Gray wrote:
> > > > > libyaml and the perl YAML-LibYAML (aka YAML-XS) module based
> > > > > on the same code have an "impossible" assert that can be
> > > > > triggered with the following yaml.  This is a reduced testcase
> > > > > of a crash found with the afl fuzzer.
> > > > >
> > > > >       a: "
> > > > > "     b: true
> > > > >
> > > > > In other words a crash/denial of service with untrusted yaml input.
> > > > > The libyaml author was contacted on the 21st and 27th of November.
> > > > > No response has been received but the issue has independently been
> > > > > reported publically since:
> https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure
> > > > > [1] Parsing 'test.yaml': assertion "parser->simple_key_allowed ||
> > > > !required" failed: file "scanner.c", line 1113, function
> > > > "yaml_parser_save_simple_key"
> > > > > assert(parser->simple_key_allowed || !required);    /* Impossible. */
> > > >
> > > > For what it's worth PyYAML 3.10 and 3.11 have exactly the same
> assertion:
> > > > > > > import yaml
> > > > > > > yaml.load("""
> > > > ... abc:
> > > > ...     def: 'xxx
> > > > ... '   ghi: 'yyy'
> > > > ... """)
> > > > Traceback (most recent call last):
> > > >
> > > > [...]
> > > >
> > > >     assert self.allow_simple_key or not required
> > > > AssertionError
> > > >
> > > > jch
>
> I could be mistaken but I thought Aaron Patterson had taken
> responsibility for maintaining libyaml. Did you attempt contacting
> anyone involved in the YAML organization on GitHub?