Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 776796 (CVE-2017-18640)

Summary: <dev-java/snakeyaml-1.28: billion laughs DoS (CVE-2017-18640)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: fordfrog, ionen, java
Priority: Normal Keywords: PullRequest
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
URL: https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion
See Also: https://github.com/gentoo/gentoo/pull/20176
Whiteboard: B3 [glsa+]
Package list:
dev-java/snakeyaml-1.28-r1 amd64 x86 dev-java/joda-time-2.10.10-r1 amd64
 Runtime testing required: ---
Bug Depends on: 780663    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-17 03:08:37 UTC 
CVE-2017-18640:

The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Patch: https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37fa48110fa54ed8c

Patch appears to only be included in 1.26 onward, contradicting the CVE
description, so needs bump to at least 1.26.
Comment 1 Larry the Git Cow gentoo-dev 2021-04-06 11:05:12 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe6324607afad6e952b57747c3297a6b5d69ffbd

commit fe6324607afad6e952b57747c3297a6b5d69ffbd
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2021-03-28 21:13:13 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-04-06 10:44:28 +0000

    dev-java/snakeyaml: bump to 1.28 (CVE-2017-18640)
    
    Closes: https://bugs.gentoo.org/776796
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/20176
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/snakeyaml/Manifest              |  1 +
 dev-java/snakeyaml/snakeyaml-1.28.ebuild | 86 ++++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-06 12:51:53 UTC 
Please stabilize when ready.
Comment 3 NATTkA bot gentoo-dev 2021-04-06 12:52:29 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-04-10 08:24:21 UTC Comment hidden (obsolete)
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2021-04-11 00:14:25 UTC 
x86 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2021-04-15 19:41:06 UTC 
ppc64 stable
Comment 7 NATTkA bot gentoo-dev 2021-04-16 13:55:46 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-04-16 13:57:15 UTC Comment hidden (obsolete)
Comment 9 Miroslav Šulc gentoo-dev 2021-04-16 14:05:41 UTC 
sorry, i accidentally removed a slot of commons-lang that i thought is not used anymore.
Comment 10 NATTkA bot gentoo-dev 2021-04-26 15:20:25 UTC Comment hidden (obsolete)
Comment 11 Andreas Sturmlechner gentoo-dev 2021-05-15 18:58:31 UTC 
(In reply to Miroslav Šulc from comment #9)
> sorry, i accidentally removed a slot of commons-lang that i thought is not
> used anymore.
I assume this was "fixed" in commit c16e45c8. Then please in the future make sure that no arches are missing in CC.
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-16 12:38:37 UTC 
amd64 done
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-16 12:39:14 UTC 
x86 done

all arches done
Comment 14 Larry the Git Cow gentoo-dev 2021-05-16 18:02:24 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94b45e9356226bb3b5b7d8c3c6d71f69d8390fb0

commit 94b45e9356226bb3b5b7d8c3c6d71f69d8390fb0
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-05-16 18:01:39 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-05-16 18:01:39 +0000

    dev-java/snakeyaml: removed obsolete and vulnerable 1.16
    
    Bug: https://bugs.gentoo.org/776796
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/snakeyaml/Manifest              |  1 -
 dev-java/snakeyaml/snakeyaml-1.16.ebuild | 50 --------------------------------
 2 files changed, 51 deletions(-)
Comment 15 Miroslav Šulc gentoo-dev 2021-05-16 18:04:48 UTC 
the tree is clean now, you can proceed
Comment 16 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-18 01:42:22 UTC 
Thanks!
Comment 17 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 17:43:17 UTC 
GLSA request filed
Comment 18 Larry the Git Cow gentoo-dev 2023-05-21 19:52:06 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=980b750f6ebc25adc36501cfe47c72ab672b5e9b

commit 980b750f6ebc25adc36501cfe47c72ab672b5e9b
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-21 19:44:41 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-21 19:51:37 +0000

    [ GLSA 202305-28 ] snakeyaml: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/776796
    Bug: https://bugs.gentoo.org/868621
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-28.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
Comment 19 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-21 19:52:45 UTC 
GLSA released, all done!