YAML::Syck Buffer Underflow Vulnerability in Base60 Parsing

A buffer underflow vulnerability has been identified in YAML::Syck versions prior to 1.38 for Perl. The issue arises in the base60 parsing code within perl_syck.h, specifically in the int#base60 and float#base60 handlers. When the parser processes the leftmost segment of a colon-separated value, the inner loop can decrement a pointer past the beginning of the string buffer. This out-of-bounds read creates undefined behavior, potentially leading to data corruption or a crash when the library is used with AddressSanitizer or Valgrind. The vulnerability is triggered when YAML documents contain sexagesimal values and the ImplicitTyping feature is enabled.

Impact

Exploitation of this vulnerability causes an out-of-bounds read, leading to undefined behavior. This can result in a crash under AddressSanitizer or Valgrind, memory corruption if the read byte happens to be a colon, and incorrect parsing of sexagesimal values.

Reproduction

The vulnerability can be reproduced by loading a YAML document with sexagesimal values while the YAML::Syck ImplicitTyping feature is enabled. This can be done using the Load function from the YAML::Syck module.

Remediation

Users should upgrade to YAML::Syck version 1.38 or later, where this vulnerability has been fixed.