| Summary: | dev-java/snakeyaml: remote code execution via unsafe deserialization | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED INVALID | ||
| Severity: | major | CC: | java |
| Priority: | Normal | Keywords: | PullRequest |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2 | ||
| See Also: | https://github.com/gentoo/gentoo/pull/30235 | ||
| Whiteboard: | B1 [upstream] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
John Helmert III
2022-12-01 18:06:59 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aee65fdfa0ce1abe59f9f4433f309fda95630e5f commit aee65fdfa0ce1abe59f9f4433f309fda95630e5f Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2023-03-19 14:49:00 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2023-03-20 07:26:41 +0000 dev-java/snakeyaml: add 2.0 - CVE-2022-1471 - skips 2 classes in META-INF/versions/9 due to https://bugs.gentoo.org/900433 Bug: https://bugs.gentoo.org/883853 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/30235 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/snakeyaml/Manifest | 1 + dev-java/snakeyaml/snakeyaml-2.0.ebuild | 76 +++++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+) Yeah, upstream calls this invalid: https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471 |