Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How is this CVE-2024-3205 affected? #289

Open
zhuofeng6 opened this issue Apr 3, 2024 · 11 comments
Open

How is this CVE-2024-3205 affected? #289

zhuofeng6 opened this issue Apr 3, 2024 · 11 comments

Comments

@zhuofeng6
Copy link

https://nvd.nist.gov/vuln/detail/CVE-2024-3205
@hasufell
Copy link

hasufell commented Apr 3, 2024

NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

@hasufell
Copy link

hasufell commented Apr 3, 2024

Code:

libyaml/src/emitter.c

Lines 740 to 788 in f8f760f

/*
*
* Expect a flow item node.
*/
static int
yaml_emitter_emit_flow_sequence_item(yaml_emitter_t *emitter,
yaml_event_t *event, int first)
{
if (first)
{
if (!yaml_emitter_write_indicator(emitter, "[", 1, 1, 0))
return 0;
if (!yaml_emitter_increase_indent(emitter, 1, 0))
return 0;
emitter->flow_level ++;
}
if (event->type == YAML_SEQUENCE_END_EVENT)
{
emitter->flow_level --;
emitter->indent = POP(emitter, emitter->indents);
if (emitter->canonical && !first) {
if (!yaml_emitter_write_indicator(emitter, ",", 0, 0, 0))
return 0;
if (!yaml_emitter_write_indent(emitter))
return 0;
}
if (!yaml_emitter_write_indicator(emitter, "]", 0, 0, 0))
return 0;
emitter->state = POP(emitter, emitter->states);
return 1;
}
if (!first) {
if (!yaml_emitter_write_indicator(emitter, ",", 0, 0, 0))
return 0;
}
if (emitter->canonical || emitter->column > emitter->best_width) {
if (!yaml_emitter_write_indent(emitter))
return 0;
}
if (!PUSH(emitter, emitter->states, YAML_EMIT_FLOW_SEQUENCE_ITEM_STATE))
return 0;
return yaml_emitter_emit_node(emitter, event, 0, 1, 0, 0);
}

@zhuofeng6
Copy link
Author

zhuofeng6 commented Apr 3, 2024
edited

Is this pr to fix the CVE?
#259

@zhuofeng6
Copy link
Author

Code:

libyaml/src/emitter.c

Lines 740 to 788 in f8f760f

/*
*
* Expect a flow item node.
*/
static int
yaml_emitter_emit_flow_sequence_item(yaml_emitter_t *emitter,
yaml_event_t *event, int first)
{
if (first)
{
if (!yaml_emitter_write_indicator(emitter, "[", 1, 1, 0))
return 0;
if (!yaml_emitter_increase_indent(emitter, 1, 0))
return 0;
emitter->flow_level ++;
}
if (event->type == YAML_SEQUENCE_END_EVENT)
{
emitter->flow_level --;
emitter->indent = POP(emitter, emitter->indents);
if (emitter->canonical && !first) {
if (!yaml_emitter_write_indicator(emitter, ",", 0, 0, 0))
return 0;
if (!yaml_emitter_write_indent(emitter))
return 0;
}
if (!yaml_emitter_write_indicator(emitter, "]", 0, 0, 0))
return 0;
emitter->state = POP(emitter, emitter->states);
return 1;
}
if (!first) {
if (!yaml_emitter_write_indicator(emitter, ",", 0, 0, 0))
return 0;
}
if (emitter->canonical || emitter->column > emitter->best_width) {
if (!yaml_emitter_write_indent(emitter))
return 0;
}
if (!PUSH(emitter, emitter->states, YAML_EMIT_FLOW_SEQUENCE_ITEM_STATE))
return 0;
return yaml_emitter_emit_node(emitter, event, 0, 1, 0, 0);
}

Where exactly is this memory leak?

@hasufell hasufell mentioned this issue Apr 3, 2024
Open
@perlpunk
Copy link
Member

perlpunk commented Apr 3, 2024

It's hard to review a PR if there is no reproducer I guess...

@hasufell
Copy link

hasufell commented Apr 3, 2024

@perlpunk there's supposedly evidence in the fuzzing data https://drive.google.com/drive/folders/1lwNEs8wqwkUV52f3uQNYMPrxRuXPtGQs?usp=sharing

I haven't checked yet

@perlpunk
Copy link
Member

perlpunk commented Apr 3, 2024

At least I can download some files from the shared drive, but the two input files I can find there have nothing to do with flow sequences. Also seem to be broken.
This is one of the files (I removed some broken stuff at the beginning that the parser complained about):

- -  - - -   - - - -     - - - - - -   - - -  - -  -     - - -   - - - -     - - - - - - -  -  - - - - ---   -     -  -- - -     - - -     - - - - - - -  -  -  - - - -     -  --   -  - 
-  - - -    - - - -   - - -  - - - -     - - -   - - - - -   - - - -     -     - - - - - - -  -  -  - - - -     - - -   -  - 
-  - - -    - - - -   - - -  - - - -     - - -   - - - - -   - - - -     - -    - - -     - - - - - -   - - -  - -  -     - - -   - -- -   - - - -       --  -

@perlpunk
Copy link
Member

perlpunk commented Apr 4, 2024

Please see my notes in #258 how I tried to reproduce (and failed)

@zhuofeng6
Copy link
Author

I think this can only be a bug, not a cve. After all, it's common.

What do you think, my brother @perlpunk

@perlpunk
Copy link
Member

perlpunk commented Apr 9, 2024

brother?

@zhuofeng6 zhuofeng6 mentioned this issue Apr 11, 2024
Closed
@perlpunk
Copy link
Member

perlpunk commented Apr 16, 2024
edited

Please see my latest comment here: #258 (comment)
I believe it's not a libyaml vulnerability or bug.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@perlpunk @hasufell @zhuofeng6