Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 883853 (CVE-2022-1471) - dev-java/snakeyaml: remote code execution via unsafe deserialization
Summary: dev-java/snakeyaml: remote code execution via unsafe deserialization
Status: RESOLVED INVALID
Alias: CVE-2022-1471
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://github.com/google/security-re...
Whiteboard: B1 [upstream]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2022-12-01 18:06 UTC by John Helmert III
Modified: 2023-04-19 04:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-01 18:06:59 UTC
CVE-2022-1471:

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.

Not sure we can do anything with no fixed version, mitigation will have to be done in consumers.
Comment 1 Larry the Git Cow gentoo-dev 2023-03-20 07:26:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aee65fdfa0ce1abe59f9f4433f309fda95630e5f

commit aee65fdfa0ce1abe59f9f4433f309fda95630e5f
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-03-19 14:49:00 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-03-20 07:26:41 +0000

    dev-java/snakeyaml: add 2.0 - CVE-2022-1471
    
    - skips 2 classes in META-INF/versions/9 due to https://bugs.gentoo.org/900433
    
    Bug: https://bugs.gentoo.org/883853
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/30235
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/snakeyaml/Manifest             |  1 +
 dev-java/snakeyaml/snakeyaml-2.0.ebuild | 76 +++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-19 04:41:55 UTC
Yeah, upstream calls this invalid: https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471