Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-28948: v3: panic "attempted to parse unknown event (please report): none" · Issue #666 · go-yaml/yaml

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.

CVE

Hi folks 👋🏻 Found this panic (along with #665) while fuzzing my own project.

Minimal example of the panic (https://play.golang.org/p/gLM_eHzcrgz):

package main

import ( “gopkg.in/yaml.v3” )

func main() { var t interface{} yaml.Unmarshal([]byte(“0: [:!00 \xef”), &t) }

Output:

panic: internal error: attempted to parse unknown event (please report): none [recovered]
    panic: internal error: attempted to parse unknown event (please report): none

goroutine 1 [running]:
gopkg.in/yaml%2ev3.handleErr(0xc000043f60)
    /tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/yaml.go:294 +0x85
panic(0x50f120, 0xc000010330)
    /usr/local/go-faketime/src/runtime/panic.go:969 +0x1b9
gopkg.in/yaml%2ev3.(*parser).parse(0xc000036c00, 0x0)
    /tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/decode.go:163 +0x277
gopkg.in/yaml%2ev3.(*parser).parseChild(...)
    /tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/decode.go:194
gopkg.in/yaml%2ev3.(*parser).sequence(0xc000036c00, 0xc00000e007)
    /tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/decode.go:259 +0xff
gopkg.in/yaml%2ev3.(*parser).parse(0xc000036c00, 0x0)
    /tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/decode.go:154 +0xe7
gopkg.in/yaml%2ev3.(*parser).parseChild(0xc000036c00, 0xc00007e3c0, 0xc00007e460)
    /tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/decode.go:194 +0x2f
gopkg.in/yaml%2ev3.(*parser).mapping(0xc000036c00, 0x9)
    /tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/decode.go:285 +0x1ad
gopkg.in/yaml%2ev3.(*parser).parse(0xc000036c00, 0xc000000003)
    /tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/decode.go:152 +0x10d
gopkg.in/yaml%2ev3.(*parser).parseChild(...)
    /tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/decode.go:194
gopkg.in/yaml%2ev3.(*parser).document(0xc000036c00, 0x3)
    /tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/decode.go:203 +0x8b
gopkg.in/yaml%2ev3.(*parser).parse(0xc000036c00, 0x0)
    /tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/decode.go:156 +0x87
gopkg.in/yaml%2ev3.unmarshal(0xc00002c590, 0xa, 0xa, 0x50a080, 0xc000010320, 0x0, 0x0, 0x0)
    /tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/yaml.go:161 +0x26a
gopkg.in/yaml%2ev3.Unmarshal(...)
    /tmp/gopath818249317/pkg/mod/gopkg.in/[email protected]/yaml.go:89
main.main()
    /tmp/sandbox604520862/prog.go:9 +0x99

Related news

Red Hat Security Advisory 2024-4631-03

Red Hat Security Advisory 2024-4631-03 - Red Hat OpenShift Dev Spaces 3.15 has been released.

Red Hat Security Advisory 2022-4985-01

Red Hat Security Advisory 2022-4985-01 - New Cryostat 2.1.1 on RHEL 8 container images have been released, containing bug fixes and addressing security vulnerabilities. Issues addressed include a deserialization vulnerability.

RHSA-2022:4985: Red Hat Security Advisory: Cryostat 2.1.1: new Cryostat on RHEL 8 container images

New Cryostat 2.1.1 on RHEL 8 container images are now availableThis content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25647: com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson * CVE-2022-28948: golang-gopkg-yaml: crash when attempting to deserialize invalid input

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907