fix CVE-2024-3205

(cherry picked from commit db32871ad7c01190c77d38879e32dc712afd25b1)
2024-04-25 10:21:08 +08:00 · 2024-04-25 10:21:08 +08:00 · d06f97f0a4
commit d06f97f0a4
parent 1a480cfae9
3 changed files with 58 additions and 35 deletions
--- a/backport-CVE-2024-3205-Fix-emitter-states-handling-when-write_indicator-fails.patch
+++ b/backport-CVE-2024-3205-Fix-emitter-states-handling-when-write_indicator-fails.patch
@ -0,0 +1,52 @@
+From ff577b94511f9fc314435a1154f1124dccbe57ec Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tina=20M=C3=BCller?= <cpan2@tinita.de>
+Date: Mon, 8 Apr 2024 23:32:52 +0200
+Subject: [PATCH] Fix emitter states handling when write_indicator fails
+
+There are cases where yaml_emitter_write_indicator fails.
+In that case POP is called on emitter->indents but not on emitter->states,
+which results in a leftover event in the stack, and later POP is called
+on an empty emitter->indents stack.
+
+This commit does not fix the case of the failing yaml_emitter_write_indicator.
+This is still investigated.
+---
+ src/emitter.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/emitter.c b/src/emitter.c
+index 609b28a4..0aca6c34 100644
+--- a/src/emitter.c
+++ b/src/emitter.c
+@@ -759,6 +759,7 @@ yaml_emitter_emit_flow_sequence_item(yaml_emitter_t *emitter,
+     {
+         emitter->flow_level --;
+         emitter->indent = POP(emitter, emitter->indents);
+        emitter->state = POP(emitter, emitter->states);
+         if (emitter->canonical && !first) {
+             if (!yaml_emitter_write_indicator(emitter, ",", 0, 0, 0))
+                 return 0;
+@@ -767,7 +768,6 @@ yaml_emitter_emit_flow_sequence_item(yaml_emitter_t *emitter,
+         }
+         if (!yaml_emitter_write_indicator(emitter, "]", 0, 0, 0))
+             return 0;
+-        emitter->state = POP(emitter, emitter->states);
+ 
+         return 1;
+     }
+@@ -808,6 +808,7 @@ yaml_emitter_emit_flow_mapping_key(yaml_emitter_t *emitter,
+             return 0;
+         emitter->flow_level --;
+         emitter->indent = POP(emitter, emitter->indents);
+        emitter->state = POP(emitter, emitter->states);
+         if (emitter->canonical && !first) {
+             if (!yaml_emitter_write_indicator(emitter, ",", 0, 0, 0))
+                 return 0;
+@@ -816,7 +817,6 @@ yaml_emitter_emit_flow_mapping_key(yaml_emitter_t *emitter,
+         }
+         if (!yaml_emitter_write_indicator(emitter, "}", 0, 0, 0))
+             return 0;
+-        emitter->state = POP(emitter, emitter->states);
+ 
+         return 1;
+     }
--- a/fix-heap-buffer-overflow-error-in-yaml-emitter-emit.patch
+++ b/fix-heap-buffer-overflow-error-in-yaml-emitter-emit.patch
@ -1,32 +0,0 @@
-From cbd860b8e62ec0dc85d4d76a9a8900a3db9c740c Mon Sep 17 00:00:00 2001
-From: chenziyang <chenziyang4@huawei.com>
-Date: Tue, 8 Nov 2022 11:15:36 +0800
-Subject: [PATCH] Fix heap buffer overflow error in
- yaml_emitter_emit_flow_sequence_item function
- 
---
- src/emitter.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
- 
-diff --git a/src/emitter.c b/src/emitter.c
-index 609b28a..336bfd1 100644
--- a/src/emitter.c
-+++ b/src/emitter.c
-@@ -758,7 +758,13 @@ yaml_emitter_emit_flow_sequence_item(yaml_emitter_t *emitter,
-     if (event->type == YAML_SEQUENCE_END_EVENT)
-     {
-         emitter->flow_level --;
-        emitter->indent = POP(emitter, emitter->indents);
-+        if (!STACK_EMPTY(emitter, emitter->indents)) {
-+            emitter->indent = POP(emitter, emitter->indents);
-+        }
-+        else {
-+            emitter->indent = 0; // set to default
-+        }
-+
-         if (emitter->canonical && !first) {
-             if (!yaml_emitter_write_indicator(emitter, ",", 0, 0, 0))
-                 return 0;
-- 
-2.21.0.windows.1
-
--- a/libyaml.spec
+++ b/libyaml.spec
@ -1,14 +1,14 @@
 Name:       libyaml
 Version:    0.2.5
-Release:    5
+Release:    6
 Summary:    A C library for parsing and emitting YAML
 License:    MIT
 URL:        https://github.com/yaml/libyaml
 Source0:    https://github.com/yaml/libyaml/releases/download/%{version}/yaml-%{version}.tar.gz

 Patch0:     fix-heap-buffer-overflow-in-yaml_emitter_emit_flow_m.patch 
-Patch1:     fix-heap-buffer-overflow-error-in-yaml-emitter-emit.patch
-Patch2:     backport-Improve-CMake-build-system.patch
+Patch1:     backport-Improve-CMake-build-system.patch
+Patch2:     backport-CVE-2024-3205-Fix-emitter-states-handling-when-write_indicator-fails.patch

 BuildRequires:  gcc

@ -74,6 +74,9 @@ make check


 %changelog
+* Thu Apr 25 2024 fuanan <fuanan3@h-partners.com> - 0.2.5-6
+- fix CVE-2024-3205
+
 * Sat May 27 2023 fuanan <fuanan3@h-partners.com> - 0.2.5-5
 - Support cmake build system
 - Modify URL and Source0