YAML::Syck Heap Buffer Overflow Vulnerability in Perl

A heap buffer overflow vulnerability has been identified in YAML::Syck for Perl, affecting versions through 1.36. This vulnerability arises in the YAML emitter when class names exceed the initial 512-byte allocation, leading to a heap overflow. Additionally, the base64 decoder could read past the buffer's end due to trailing newlines, and strtok improperly mutated node type identifiers, corrupting shared node data. A memory leak was also present in the anchor handling function when a node already had an anchor, causing the incoming anchor string to be leaked on early return.

Impact

Exploitation of this vulnerability leads to a heap buffer overflow, which can commonly be exploited to execute arbitrary code or cause a crash.

Reproduction

The vulnerability can be reproduced by creating a YAML document that includes a class name longer than 512 bytes. This can be done by dumping an object with a long class name using the YAML::Syck module. The emitted YAML will include the class name as a tag, demonstrating the buffer overflow by exceeding the allocated memory.

Remediation

Users are advised to update to YAML::Syck version 1.37 or later, where this vulnerability has been fixed.