Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 776796 (CVE-2017-18640) - <dev-java/snakeyaml-1.28: billion laughs DoS (CVE-2017-18640)
Summary: <dev-java/snakeyaml-1.28: billion laughs DoS (CVE-2017-18640)
Status: IN_PROGRESS
Alias: CVE-2017-18640
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bitbucket.org/asomov/snakeyam...
Whiteboard: B3 [glsa?]
Keywords: PullRequest
Depends on: 780663
Blocks:
  Show dependency tree
 
Reported: 2021-03-17 03:08 UTC by John Helmert III
Modified: 2021-10-27 02:02 UTC (History)
3 users (show)

See Also:
Package list:
dev-java/snakeyaml-1.28-r1 amd64 x86 dev-java/joda-time-2.10.10-r1 amd64
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-17 03:08:37 UTC
CVE-2017-18640:

The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Patch: https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37fa48110fa54ed8c

Patch appears to only be included in 1.26 onward, contradicting the CVE
description, so needs bump to at least 1.26.
Comment 1 Larry the Git Cow gentoo-dev 2021-04-06 11:05:12 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe6324607afad6e952b57747c3297a6b5d69ffbd

commit fe6324607afad6e952b57747c3297a6b5d69ffbd
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2021-03-28 21:13:13 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-04-06 10:44:28 +0000

    dev-java/snakeyaml: bump to 1.28 (CVE-2017-18640)
    
    Closes: https://bugs.gentoo.org/776796
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/20176
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/snakeyaml/Manifest              |  1 +
 dev-java/snakeyaml/snakeyaml-1.28.ebuild | 86 ++++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-06 12:51:53 UTC
Please stabilize when ready.
Comment 3 NATTkA bot gentoo-dev 2021-04-06 12:52:29 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-04-10 08:24:21 UTC Comment hidden (obsolete)
Comment 5 Thomas Deutschmann gentoo-dev 2021-04-11 00:14:25 UTC
x86 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2021-04-15 19:41:06 UTC
ppc64 stable
Comment 7 NATTkA bot gentoo-dev 2021-04-16 13:55:46 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-04-16 13:57:15 UTC Comment hidden (obsolete)
Comment 9 Miroslav Šulc gentoo-dev 2021-04-16 14:05:41 UTC
sorry, i accidentally removed a slot of commons-lang that i thought is not used anymore.
Comment 10 NATTkA bot gentoo-dev 2021-04-26 15:20:25 UTC Comment hidden (obsolete)
Comment 11 Andreas Sturmlechner gentoo-dev 2021-05-15 18:58:31 UTC
(In reply to Miroslav Šulc from comment #9)
> sorry, i accidentally removed a slot of commons-lang that i thought is not
> used anymore.
I assume this was "fixed" in commit c16e45c8. Then please in the future make sure that no arches are missing in CC.
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-16 12:38:37 UTC
amd64 done
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-16 12:39:14 UTC
x86 done

all arches done
Comment 14 Larry the Git Cow gentoo-dev 2021-05-16 18:02:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94b45e9356226bb3b5b7d8c3c6d71f69d8390fb0

commit 94b45e9356226bb3b5b7d8c3c6d71f69d8390fb0
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-05-16 18:01:39 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-05-16 18:01:39 +0000

    dev-java/snakeyaml: removed obsolete and vulnerable 1.16
    
    Bug: https://bugs.gentoo.org/776796
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/snakeyaml/Manifest              |  1 -
 dev-java/snakeyaml/snakeyaml-1.16.ebuild | 50 --------------------------------
 2 files changed, 51 deletions(-)
Comment 15 Miroslav Šulc gentoo-dev 2021-05-16 18:04:48 UTC
the tree is clean now, you can proceed
Comment 16 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-18 01:42:22 UTC
Thanks!