PT-2014-1788 · Libyaml+3 · Libyaml+3

Florian Weimer

Published

2014-02-06

Updated

2024-06-15

CVE-2013-6393

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions LibYAML versions prior to 0.1.5

Description The issue is related to an incorrect cast in the yaml parser scan tag uri function, which can lead to a denial of service (application crash) and possibly allow remote attackers to execute arbitrary code via crafted tags in a YAML document, triggering a heap-based buffer overflow. Multiple vulnerabilities in the libyaml package may compromise the confidentiality, integrity, and availability of protected information, and exploitation can be done remotely.

Recommendations

Update to version 0.1.5 or later, which includes a fix for the heap-based buffer overflow vulnerability.
For versions 0.2.2 and earlier that depend on native libyaml version 0.1.5 or earlier, update to version 0.2.3 that includes a version of LibYAML with the fix.

Fix

DoS

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-119

Related Identifiers

ALT-PU-2014-1162

BDU:2015-04120

CESA-2014_0355

CVE-2013-6393

DSA-2850-1

DSA-2870-1

GHSA-M75H-CGHQ-C8H5

MGASA-2014-0040

MGASA-2014-0154

OPENSUSE-SU-2024:10029-1

OPENSUSE-SU-2024:10520-1

RHSA-2014:0353

RHSA-2014:0354

RHSA-2014:0355

RHSA-2014:0364

RHSA-2014:0415

SUSE-SU-2015:0953-1

SUSE-SU-2015:0953-2

SUSE-SU-2015_0953-1

SUSE-SU-2015_0953-2

Affected Products

Alt Linux

Centos

Libyaml

Suse

PT-2014-1788 · Libyaml+3 · Libyaml+3

CVE-2013-6393

Weakness Enumeration

Related Identifiers

Affected Products

References · 74