From URL: Description: The function “Token& Scanner::peek” in scanner.cpp in yaml-cpp 0.5.3 and earlier allows remote attackers to cause a denial of service (assertion failure and application exit) via a ‘!2’ string.
The Github issue report is here https://github.com/jbeder/yaml-cpp/issues/519, for future reference.
The function "Token& Scanner::peek" in scanner.cpp in yaml-cpp 0.5.3 and earlier allows remote attackers to cause a denial of service (assertion failure and application exit) via a '!2' string. RedHat states they will not fix: https://access.redhat.com/security/cve/cve-2017-11692 Maintainers, please take a look and provide your opinion. This has been around for a while and we need to decide what to do with it.
Upstream seems not to care. If no reverse dep would be there I would be last rite it. On the other hand it is a minor issue.
(In reply to Johannes Huber from comment #3) > Upstream seems not to care. If no reverse dep would be there I would be last > rite it. On the other hand it is a minor issue. Patch: https://github.com/jbeder/yaml-cpp/commit/c9460110e072df84b7dee3eb651f2ec5df75fb18 @maintainer(s): ok to create a new ebuild with this?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f506b95e837aebf001b41ed1bcd19bda82d3ee47 commit f506b95e837aebf001b41ed1bcd19bda82d3ee47 Author: Johannes Huber <johu@gentoo.org> AuthorDate: 2020-03-20 11:35:37 +0000 Commit: Johannes Huber <johu@gentoo.org> CommitDate: 2020-03-20 11:36:48 +0000 dev-cpp/yaml-cpp: Fix CVE-2017-11692 Bug: https://bugs.gentoo.org/626662 Thanks-to: sam_c (Security Padawan) <sam@cmpct.info> Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Johannes Huber <johu@gentoo.org> .../files/yaml-cpp-0.6.3-CVE-2017-11692.patch | 44 ++++++++++++++++++++ dev-cpp/yaml-cpp/yaml-cpp-0.6.3-r2.ebuild | 48 ++++++++++++++++++++++ 2 files changed, 92 insertions(+)
Unable to check for sanity: > dependent bug #713464 is missing keywords
Resetting sanity check; package list is empty or all packages are done.
@maintainer(s), please cleanup
GLSA vote: yes
This issue was resolved and addressed in GLSA 202007-14 at https://security.gentoo.org/glsa/202007-14 by GLSA coordinator Sam James (sam_c).
(In reply to GLSAMaker/CVETool Bot from comment #10) > This issue was resolved and addressed in > GLSA 202007-14 at https://security.gentoo.org/glsa/202007-14 > by GLSA coordinator Sam James (sam_c). Reopening for cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=df25aa0798f692e44a99922e9a27d013fafc0bd7 commit df25aa0798f692e44a99922e9a27d013fafc0bd7 Author: John Helmert III <jchelmert3@posteo.net> AuthorDate: 2020-07-19 22:32:55 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-27 02:18:14 +0000 dev-cpp/yaml-cpp: Cleanup <0.6.3-r2 Bug: https://bugs.gentoo.org/626662 Package-Manager: Portage-3.0.0, Repoman-2.3.23 Signed-off-by: John Helmert III <jchelmert3@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/16622 Signed-off-by: Sam James <sam@gentoo.org> dev-cpp/yaml-cpp/Manifest | 1 - .../files/yaml-cpp-0.6.2-CVE-2017-5950.patch | 45 -------------- .../files/yaml-cpp-0.6.2-unbundle-gtest.patch | 70 ---------------------- dev-cpp/yaml-cpp/yaml-cpp-0.6.2.ebuild | 42 ------------- dev-cpp/yaml-cpp/yaml-cpp-0.6.3-r1.ebuild | 45 -------------- 5 files changed, 203 deletions(-)