Summary: | <dev-cpp/yaml-cpp-0.6.3-r3: Multiple vulnerabilities (CVE-2019-{6285,6292}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ajak, johu |
Priority: | Normal | Keywords: | CC-ARCHES, PullRequest |
Version: | unspecified | Flags: | nattka:
sanity-check+
|
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://github.com/gentoo/gentoo/pull/16622 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
dev-cpp/yaml-cpp-0.6.3-r3
|
Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2020-04-24 03:40:49 UTC
(In reply to GLSAMaker/CVETool Bot from comment #0) > CVE-2019-6285 (https://nvd.nist.gov/vuln/detail/CVE-2019-6285): > The SingleDocParser::HandleFlowSequence function in yaml-cpp (aka > LibYaml-C++) 0.6.2 allows remote attackers to cause a denial of service > (stack consumption and application crash) via a crafted YAML file. Patches: https://github.com/jbeder/yaml-cpp/pull/807 That PR mentions fixing these too: CVE-2018-20573: The Scanner::EnsureTokensInQueue function in yaml-cpp (aka LibYaml-C++) 0.6.2 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted YAML file. CVE-2018-20574: The SingleDocParser::HandleFlowMap function in yaml-cpp (aka LibYaml-C++) 0.6.2 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted YAML file. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9530f57129611ca33ca70dc96727466a082784e4 commit 9530f57129611ca33ca70dc96727466a082784e4 Author: John Helmert III <jchelmert3@posteo.net> AuthorDate: 2020-07-07 01:19:02 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-27 02:18:13 +0000 dev-cpp/yaml-cpp: Revbump to add security patch Bug: https://bugs.gentoo.org/719150 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: John Helmert III <jchelmert3@posteo.net> Signed-off-by: Sam James <sam@gentoo.org> .../files/yaml-cpp-0.6.3-fix-overflows.patch | 149 +++++++++++++++++++++ dev-cpp/yaml-cpp/yaml-cpp-0.6.3-r3.ebuild | 49 +++++++ 2 files changed, 198 insertions(+) Should be OK to stable but let's give it a few days first because we've had problems in the past with this package. sparc done arm64 done amd64 stable x86 stable ppc done ppc64 done all arches done The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e80822e8f1fb71bcb7faec08eade7ba7171cb29b commit e80822e8f1fb71bcb7faec08eade7ba7171cb29b Author: Sam James <sam@gentoo.org> AuthorDate: 2020-08-30 05:51:18 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-08-30 05:51:18 +0000 dev-cpp/yaml-cpp: security cleanup Closes: https://bugs.gentoo.org/719150 Package-Manager: Portage-3.0.4, Repoman-3.0.1 Signed-off-by: Sam James <sam@gentoo.org> dev-cpp/yaml-cpp/yaml-cpp-0.6.3-r2.ebuild | 48 ------------------------------- 1 file changed, 48 deletions(-) |