Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v3: panic "attempted to parse unknown event (please report): none" #666

Closed
bradleyjkemp opened this issue Oct 21, 2020 · 26 comments
Closed

v3: panic "attempted to parse unknown event (please report): none" #666

bradleyjkemp opened this issue Oct 21, 2020 · 26 comments

Comments

@bradleyjkemp
Copy link

Hi folks 👋🏻 Found this panic (along with #665) while fuzzing my own project.

Minimal example of the panic (https://play.golang.org/p/gLM_eHzcrgz):

package main

import (
	"gopkg.in/yaml.v3"
)

func main() {
	var t interface{}
	yaml.Unmarshal([]byte("0: [:!00 \xef"), &t)
}

Output:

panic: internal error: attempted to parse unknown event (please report): none [recovered]
	panic: internal error: attempted to parse unknown event (please report): none

goroutine 1 [running]:
gopkg.in/yaml%2ev3.handleErr(0xc000043f60)
	/tmp/gopath818249317/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/yaml.go:294 +0x85
panic(0x50f120, 0xc000010330)
	/usr/local/go-faketime/src/runtime/panic.go:969 +0x1b9
gopkg.in/yaml%2ev3.(*parser).parse(0xc000036c00, 0x0)
	/tmp/gopath818249317/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:163 +0x277
gopkg.in/yaml%2ev3.(*parser).parseChild(...)
	/tmp/gopath818249317/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:194
gopkg.in/yaml%2ev3.(*parser).sequence(0xc000036c00, 0xc00000e007)
	/tmp/gopath818249317/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:259 +0xff
gopkg.in/yaml%2ev3.(*parser).parse(0xc000036c00, 0x0)
	/tmp/gopath818249317/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:154 +0xe7
gopkg.in/yaml%2ev3.(*parser).parseChild(0xc000036c00, 0xc00007e3c0, 0xc00007e460)
	/tmp/gopath818249317/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:194 +0x2f
gopkg.in/yaml%2ev3.(*parser).mapping(0xc000036c00, 0x9)
	/tmp/gopath818249317/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:285 +0x1ad
gopkg.in/yaml%2ev3.(*parser).parse(0xc000036c00, 0xc000000003)
	/tmp/gopath818249317/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:152 +0x10d
gopkg.in/yaml%2ev3.(*parser).parseChild(...)
	/tmp/gopath818249317/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:194
gopkg.in/yaml%2ev3.(*parser).document(0xc000036c00, 0x3)
	/tmp/gopath818249317/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:203 +0x8b
gopkg.in/yaml%2ev3.(*parser).parse(0xc000036c00, 0x0)
	/tmp/gopath818249317/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/decode.go:156 +0x87
gopkg.in/yaml%2ev3.unmarshal(0xc00002c590, 0xa, 0xa, 0x50a080, 0xc000010320, 0x0, 0x0, 0x0)
	/tmp/gopath818249317/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/yaml.go:161 +0x26a
gopkg.in/yaml%2ev3.Unmarshal(...)
	/tmp/gopath818249317/pkg/mod/gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776/yaml.go:89
main.main()
	/tmp/sandbox604520862/prog.go:9 +0x99
@niemeyer
Copy link
Contributor

Thanks for the report, I'll look into it.

@hasheddan
Copy link

As another data point, I found this occurs on invalid YAML that includes {{, which is common in manifests that are deployed with helm, such as this one.

@hasheddan hasheddan mentioned this issue Apr 21, 2021
Open
@howardjohn
Copy link

repro.txt

Same issue with YAML above ^

@stevebeattie
Copy link

This issue was assigned CVE-2022-28948

@crenshaw-dev
Copy link

Issue 666. 😈

@crenshaw-dev
Copy link

crenshaw-dev commented May 20, 2022
edited
Loading

For people who land here from Snyk: they incorrectly marked the vulnerability as being in v2. I've been unable to reproduce the issue in v2, and can only reproduce it in v3. I've notified Snyk of the error.

UPDATE: They fixed it!

UPDATE 2: For people who land here from the GitHub security advisory: they incorrectly marked the vulnerability as being in v2. Trying to find an appropriate version range to suggest...

@niemeyer
Copy link
Contributor

Sorry for being slow. The post mortem is that long ago I was thrown off by an awkward API in the underlying library: it returns success (true) in error cases in that particular function call, while in general it does not. Instead of fixing the underlying API, we'll continue to tolerate it for the time being and handle the issue on the high-level decoder, so that it remains somewhat easy to compare the original libyaml logic to what remains of it in go-yaml.

@CityOfLight77
Copy link

@niemeyer @stevebeattie why this crash worth a CVE, and no severity?

@crenshaw-dev
Copy link

@CityOfLight77 it’s a CVE because a lot of apps use go-yaml. If a malicious user sends one of these payloads to such an app, they can shut down the app (Denial of Service).

Snyk assigned a severity of 7.5. The severity really depends on how your app uses go-yaml. If an unauthenticated user can send a malicious payload, then the severity is higher than it would be if they must be authenticated.

@CityOfLight77
Copy link

@CityOfLight77 it’s a CVE because a lot of apps use go-yaml. If a malicious user sends one of these payloads to such an app, they can shut down the app (Denial of Service).

Snyk assigned a severity of 7.5. The severity really depends on how your app uses go-yaml. If an unauthenticated user can send a malicious payload, then the severity is higher than it would be if they must be authenticated.

Thanks for the explanation

@Zenithar Zenithar mentioned this issue May 23, 2022
Closed
@nabbar nabbar mentioned this issue May 23, 2022
Closed
@benjifin
Copy link

@crenshaw-dev thanks for the heads up - we (Snyk) have updated our advisory now to only show versions of yaml v3 as vulnerable, and also included the fix advice released in v3.0.0. That should be live in an hour or so 🙏

@niemeyer
Copy link
Contributor

Thanks all.

yongtang added a commit to yongtang/coredns that referenced this issue May 26, 2022
@yongtang
Update gopkg.in/yaml.v3 to v3.0.0 to fix security issues
46784d8 
As the dependabot cannot update the go-yaml automatically,
this PR updates gopkg.in/yaml.v3 to v3.0.0 to fix CVE-2022-28948
(See go-yaml/yaml#666)

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
@yongtang yongtang mentioned this issue May 26, 2022
Merged
@alemorcuq alemorcuq mentioned this issue May 26, 2022
Merged
@edigaryev edigaryev mentioned this issue May 26, 2022
Closed
rafaeljusto added a commit to Teamwork/kommentaar that referenced this issue May 26, 2022
@rafaeljusto
Fix: Upgrade gopkg.in/yaml.v2 to gopkg.in/yaml.v3 due to security issue
cf184d7 
An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash
when attempting to deserialize invalid input.

https://nvd.nist.gov/vuln/detail/CVE-2022-28948
go-yaml/yaml#666
@rafaeljusto rafaeljusto mentioned this issue May 26, 2022
Merged
rafaeljusto added a commit to Teamwork/kommentaar that referenced this issue May 26, 2022
@rafaeljusto
Fix: Upgrade gopkg.in/yaml.v2 to gopkg.in/yaml.v3 due to security issue
8cea7c5 
From the security report:
> An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash
> when attempting to deserialize invalid input.

While upgrading to version 3, there was some required changes:
* Force the encoder to use 2 spaces for identation
* Rewrite tests so lists are idented

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-28948
go-yaml/yaml#666
GHSA-hp87-p4gw-j4gq
willfindlay added a commit to willfindlay/tetragon that referenced this issue May 26, 2022
@willfindlay
vendor: upgrade yaml.v3 to v3.0.0
d6f426f 
This fixes a potential panic when the library attempts to unmarshal invalid data.
See this issue [0] for details.

[0]: go-yaml/yaml#666

Signed-off-by: William Findlay <will@isovalent.com>
@willfindlay willfindlay mentioned this issue May 26, 2022
Merged
michi-covalent pushed a commit to cilium/tetragon that referenced this issue May 26, 2022
@willfindlay @michi-covalent
vendor: upgrade yaml.v3 to v3.0.0
2122de7 
This fixes a potential panic when the library attempts to unmarshal invalid data.
See this issue [0] for details.

[0]: go-yaml/yaml#666

Signed-off-by: William Findlay <will@isovalent.com>
@vara-bonthu vara-bonthu mentioned this issue May 26, 2022
Merged
6 tasks
chrisohaver pushed a commit to coredns/coredns that referenced this issue May 26, 2022
@yongtang
Update gopkg.in/yaml.v3 to v3.0.0 to fix security issues (#5408)
bd4675b 
As the dependabot cannot update the go-yaml automatically,
this PR updates gopkg.in/yaml.v3 to v3.0.0 to fix CVE-2022-28948
(See go-yaml/yaml#666)

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
@codyoss
Copy link

codyoss commented May 26, 2022

For people who land here from Snyk: they incorrectly marked the vulnerability as being in v2. I've been unable to reproduce the issue in v2, and can only reproduce it in v3. I've notified Snyk of the error.

This seems to be correct from my testing too, maybe the OP could be edited to say there is no issue in v2 at the top. The GH advisory that came out on this is misleading people to upgrade I believe.

@crenshaw-dev
Copy link

@codyoss which GH SA? I'm not seeing one on this repo.

qu1queee added a commit to qu1queee/pkg that referenced this issue Jun 17, 2022
@qu1queee
Add fix for CVE-2022-28948
81f533d 
Per go-yaml/yaml#666, the recommendation is
to bump to v3.0.1. I detected this as an indirect dependency that was
flagged in net-istio.
@6543 6543 mentioned this issue Jun 18, 2022
Closed
knative-prow bot pushed a commit to knative/pkg that referenced this issue Jun 21, 2022
@qu1queee
Add fix for CVE-2022-28948 (#2532)
1f01575 
Per go-yaml/yaml#666, the recommendation is
to bump to v3.0.1. I detected this as an indirect dependency that was
flagged in net-istio.
@ZiViZiViZ
Copy link

Issue 666 😈

@jzding jzding mentioned this issue Jul 29, 2022
Merged
@KnVerey KnVerey mentioned this issue Aug 17, 2022
Merged
@heyLu heyLu mentioned this issue Aug 19, 2022
Closed
@stefanb stefanb mentioned this issue Aug 21, 2022
Merged
@Lepidopteron Lepidopteron mentioned this issue Sep 27, 2022
Merged
@paulyeo21 paulyeo21 mentioned this issue Oct 3, 2022
Merged
@Slijkhuis Slijkhuis mentioned this issue Oct 10, 2022
Merged
@ColbertBrave ColbertBrave mentioned this issue Oct 13, 2022
Closed
bfabio added a commit to bfabio/publiccode-parser-go that referenced this issue Feb 18, 2023
@bfabio
chore: update go-yaml to v3.0.0 (italia#132)
d24489f 
Update to newly released v3.0.0 which fixes
go-yaml/yaml#666.
@birobotond20
Copy link

Hi @crenshaw-dev, @niemeyer,
Is there any update on this, when can we expect a fix?

@Yoavast Yoavast mentioned this issue Apr 13, 2023
Open
@prymitive prymitive mentioned this issue Apr 14, 2023
Closed
@giancorderoortiz giancorderoortiz mentioned this issue Apr 16, 2023
Closed
aditighag pushed a commit to aditighag/cilium-cli that referenced this issue Apr 21, 2023
@kaworu @aditighag
vendor: update yaml.v3 to v3.0.1
1ea43d9 
See go-yaml/yaml#666, and
go-yaml/yaml#665.

Signed-off-by: Alexandre Perrin <alex@isovalent.com>
michi-covalent pushed a commit to michi-covalent/cilium that referenced this issue May 30, 2023
@kaworu @michi-covalent
vendor: update yaml.v3 to v3.0.1
ece78ca 
See go-yaml/yaml#666, and
go-yaml/yaml#665.

Signed-off-by: Alexandre Perrin <alex@isovalent.com>
This was referenced Jun 27, 2023
Open
Open
@mvo5 mvo5 mentioned this issue Jul 6, 2023
Merged
@apcxtest apcxtest mentioned this issue Aug 17, 2023
Closed
@IzhakJakov IzhakJakov mentioned this issue Sep 22, 2023
Open
This was referenced Oct 16, 2023
Closed
Open
Open
@ahrycej
Copy link

ahrycej commented Aug 16, 2024
edited
Loading

Could somebody help here: if go yaml version in use is v2.4.0 does it mean it is v2?
and v3.0.0 or v.3.0.1 is v3?

Getting above cve against v2.4.0 :/

@atc0005
Copy link

atc0005 commented Aug 16, 2024

@ahrycej:

Could somebody help here: if go yaml version in use is v2.4.0 does it mean it is v2?
and v3.0.0 or v.3.0.1 is v3?

I believe the answer to your question is "yes".

Regarding how the versions map to which branches/series, see these pages for additional details:

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump gopkg.in/yaml.v3 to 3.0.0
16 participants
@crenshaw-dev @niemeyer @howardjohn @stevebeattie @codyoss @isimluk @bradleyjkemp @gbolo @birobotond20 @hasheddan @atc0005 @benjifin @CityOfLight77 @ahrycej @ZiViZiViZ and others