Headline
CVE-2022-28948: v3: panic "attempted to parse unknown event (please report): none" · Issue #666 · go-yaml/yaml
An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.
Hi folks 👋🏻 Found this panic (along with #665) while fuzzing my own project.
Minimal example of the panic (https://play.golang.org/p/gLM_eHzcrgz):
package main
import ( “gopkg.in/yaml.v3” )
func main() { var t interface{} yaml.Unmarshal([]byte(“0: [:!00 \xef”), &t) }
Output:
panic: internal error: attempted to parse unknown event (please report): none [recovered]
panic: internal error: attempted to parse unknown event (please report): none
goroutine 1 [running]:
gopkg.in/yaml%2ev3.handleErr(0xc000043f60)
/tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/yaml.go:294 +0x85
panic(0x50f120, 0xc000010330)
/usr/local/go-faketime/src/runtime/panic.go:969 +0x1b9
gopkg.in/yaml%2ev3.(*parser).parse(0xc000036c00, 0x0)
/tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/decode.go:163 +0x277
gopkg.in/yaml%2ev3.(*parser).parseChild(...)
/tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/decode.go:194
gopkg.in/yaml%2ev3.(*parser).sequence(0xc000036c00, 0xc00000e007)
/tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/decode.go:259 +0xff
gopkg.in/yaml%2ev3.(*parser).parse(0xc000036c00, 0x0)
/tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/decode.go:154 +0xe7
gopkg.in/yaml%2ev3.(*parser).parseChild(0xc000036c00, 0xc00007e3c0, 0xc00007e460)
/tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/decode.go:194 +0x2f
gopkg.in/yaml%2ev3.(*parser).mapping(0xc000036c00, 0x9)
/tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/decode.go:285 +0x1ad
gopkg.in/yaml%2ev3.(*parser).parse(0xc000036c00, 0xc000000003)
/tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/decode.go:152 +0x10d
gopkg.in/yaml%2ev3.(*parser).parseChild(...)
/tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/decode.go:194
gopkg.in/yaml%2ev3.(*parser).document(0xc000036c00, 0x3)
/tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/decode.go:203 +0x8b
gopkg.in/yaml%2ev3.(*parser).parse(0xc000036c00, 0x0)
/tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/decode.go:156 +0x87
gopkg.in/yaml%2ev3.unmarshal(0xc00002c590, 0xa, 0xa, 0x50a080, 0xc000010320, 0x0, 0x0, 0x0)
/tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/yaml.go:161 +0x26a
gopkg.in/yaml%2ev3.Unmarshal(...)
/tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/yaml.go:89
main.main()
/tmp/sandbox604520862/prog.go:9 +0x99Related news
Red Hat Security Advisory 2024-4631-03 - Red Hat OpenShift Dev Spaces 3.15 has been released.
Red Hat Security Advisory 2022-4985-01 - New Cryostat 2.1.1 on RHEL 8 container images have been released, containing bug fixes and addressing security vulnerabilities. Issues addressed include a deserialization vulnerability.
New Cryostat 2.1.1 on RHEL 8 container images are now availableThis content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25647: com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson * CVE-2022-28948: golang-gopkg-yaml: crash when attempting to deserialize invalid input