Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 626662 (CVE-2017-11692) - <dev-cpp/yaml-cpp-0.6.3-r2: DoS (assertion failure and application exit) via a '!2' string
Summary: <dev-cpp/yaml-cpp-0.6.3-r2: DoS (assertion failure and application exit) via ...
Status: RESOLVED FIXED
Alias: CVE-2017-11692
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.secnews24.com/2017/07/30/...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on: 713464
Blocks:
  Show dependency tree
 
Reported: 2017-07-30 20:14 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2020-07-27 02:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-30 20:14:23 UTC
From URL:

Description: The function “Token& Scanner::peek” in scanner.cpp in yaml-cpp 0.5.3 and earlier allows remote attackers to cause a denial of service (assertion failure and application exit) via a ‘!2’ string.
Comment 1 Aleksandr Wagner (Kivak) 2017-10-31 18:15:48 UTC
The Github issue report is here https://github.com/jbeder/yaml-cpp/issues/519, for future reference.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2019-04-27 18:00:23 UTC
The function "Token& Scanner::peek" in scanner.cpp in yaml-cpp 0.5.3 and earlier allows remote attackers to cause a denial of service (assertion failure and application exit) via a '!2' string.

RedHat states they will not fix:
https://access.redhat.com/security/cve/cve-2017-11692

Maintainers, please take a look and provide your opinion. This has been around for a while and we need to decide what to do with it.
Comment 3 Johannes Huber gentoo-dev 2020-01-26 18:10:32 UTC
Upstream seems not to care. If no reverse dep would be there I would be last rite it. On the other hand it is a minor issue.
Comment 4 Sam James archtester gentoo-dev Security 2020-03-16 19:40:14 UTC
(In reply to Johannes Huber from comment #3)
> Upstream seems not to care. If no reverse dep would be there I would be last
> rite it. On the other hand it is a minor issue.

Patch: https://github.com/jbeder/yaml-cpp/commit/c9460110e072df84b7dee3eb651f2ec5df75fb18

@maintainer(s): ok to create a new ebuild with this?
Comment 5 Larry the Git Cow gentoo-dev 2020-03-20 11:37:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f506b95e837aebf001b41ed1bcd19bda82d3ee47

commit f506b95e837aebf001b41ed1bcd19bda82d3ee47
Author:     Johannes Huber <johu@gentoo.org>
AuthorDate: 2020-03-20 11:35:37 +0000
Commit:     Johannes Huber <johu@gentoo.org>
CommitDate: 2020-03-20 11:36:48 +0000

    dev-cpp/yaml-cpp: Fix CVE-2017-11692
    
    Bug: https://bugs.gentoo.org/626662
    Thanks-to: sam_c (Security Padawan) <sam@cmpct.info>
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Johannes Huber <johu@gentoo.org>

 .../files/yaml-cpp-0.6.3-CVE-2017-11692.patch      | 44 ++++++++++++++++++++
 dev-cpp/yaml-cpp/yaml-cpp-0.6.3-r2.ebuild          | 48 ++++++++++++++++++++++
 2 files changed, 92 insertions(+)
Comment 6 NATTkA bot gentoo-dev 2020-04-12 19:31:29 UTC
Unable to check for sanity:

> dependent bug #713464 is missing keywords
Comment 7 NATTkA bot gentoo-dev 2020-04-13 14:41:53 UTC
Resetting sanity check; package list is empty or all packages are done.
Comment 8 Sam James archtester gentoo-dev Security 2020-06-20 16:02:02 UTC
@maintainer(s), please cleanup
Comment 9 Sam James archtester gentoo-dev Security 2020-07-26 16:15:33 UTC
GLSA vote: yes
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2020-07-26 23:49:34 UTC
This issue was resolved and addressed in
 GLSA 202007-14 at https://security.gentoo.org/glsa/202007-14
by GLSA coordinator Sam James (sam_c).
Comment 11 Sam James archtester gentoo-dev Security 2020-07-27 01:14:48 UTC
(In reply to GLSAMaker/CVETool Bot from comment #10)
> This issue was resolved and addressed in
>  GLSA 202007-14 at https://security.gentoo.org/glsa/202007-14
> by GLSA coordinator Sam James (sam_c).

Reopening for cleanup.
Comment 12 Larry the Git Cow gentoo-dev 2020-07-27 02:27:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=df25aa0798f692e44a99922e9a27d013fafc0bd7

commit df25aa0798f692e44a99922e9a27d013fafc0bd7
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-07-19 22:32:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-27 02:18:14 +0000

    dev-cpp/yaml-cpp: Cleanup <0.6.3-r2
    
    Bug: https://bugs.gentoo.org/626662
    Package-Manager: Portage-3.0.0, Repoman-2.3.23
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/16622
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-cpp/yaml-cpp/Manifest                          |  1 -
 .../files/yaml-cpp-0.6.2-CVE-2017-5950.patch       | 45 --------------
 .../files/yaml-cpp-0.6.2-unbundle-gtest.patch      | 70 ----------------------
 dev-cpp/yaml-cpp/yaml-cpp-0.6.2.ebuild             | 42 -------------
 dev-cpp/yaml-cpp/yaml-cpp-0.6.3-r1.ebuild          | 45 --------------
 5 files changed, 203 deletions(-)