[Koha-bugs] [Bug 13953] New: Bad QueryParser YAML config + old version of YAML::XS can cause segfault
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Apr 3 15:46:29 CEST 2015
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13953
Bug ID: 13953
Summary: Bad QueryParser YAML config + old version of YAML::XS
can cause segfault
Change sponsored?: ---
Product: Koha
Version: 3.18
Hardware: All
OS: All
Status: NEW
Severity: minor
Priority: P5 - low
Component: Architecture, internals, and plumbing
Assignee: gmcharlt at gmail.com
Reporter: gmcharlt at gmail.com
QA Contact: testopia at bugs.koha-community.org
A system that happens to have an old version of YAML::XS that does not have the
fix for CVE-2014-9130
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9130) can be subject
to having processes that invoke a catalog search segfault if the following
conditions are met:
- QueryParser is enabled
- etc/searchengine/queryparser.yaml is malformed in such a way as to trigger
the assert that's the subject of the CVE
- YAML::XS is installed on the system and is either older than version 0.53 or
didn't get the fix backpatched by the distro
The following mitigations are available:
- first, fix queryparser.yaml
- install a more recent version of YAML::XS
- *remove* YAML::XS, in which case YAML::Any will switch to using YAML::Syck
This bug is filed for informational purposes; since changes to queryparser.yaml
have to be done on the filesystem, and since as near as I can tell, other uses
of YAML are parsed using YAML::Syck or the pure-perl YAML module, I don't see
there being a remote exploit.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list