Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 868621 (CVE-2022-38749, CVE-2022-38750, CVE-2022-38751, CVE-2022-38752) - <dev-java/snakeyaml-1.33: multiple vulnerabilities
Summary: <dev-java/snakeyaml-1.33: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2022-38749, CVE-2022-38750, CVE-2022-38751, CVE-2022-38752
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords: PullRequest
Depends on: 875794
Blocks:
  Show dependency tree
 
Reported: 2022-09-05 16:50 UTC by John Helmert III
Modified: 2022-10-21 17:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-05 16:50:31 UTC
CVE-2022-38749 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47024):
https://bitbucket.org/snakeyaml/snakeyaml/issues/525/got-stackoverflowerror-for-many-open

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

CVE-2022-38750 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027):
https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

CVE-2022-38751 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039):
https://bitbucket.org/snakeyaml/snakeyaml/issues/530/stackoverflow-oss-fuzz-47039

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

CVE-2022-38752 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081):
https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

First two are fixed in 1.31, second two are unfixed.
Comment 1 Larry the Git Cow gentoo-dev 2022-09-06 08:20:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=27e3c02d10c1eae2bf8489ed83252520868d3c9d

commit 27e3c02d10c1eae2bf8489ed83252520868d3c9d
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-09-05 18:08:26 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-09-06 08:20:19 +0000

    dev-java/snakeyaml: add 1.31
    
    Bug: https://bugs.gentoo.org/868621
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/26872
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 dev-java/snakeyaml/Manifest              |  1 +
 dev-java/snakeyaml/snakeyaml-1.31.ebuild | 86 ++++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2022-10-03 07:55:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ebf583e5509c4abe3b6af74710eddf02c54376d8

commit ebf583e5509c4abe3b6af74710eddf02c54376d8
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-09-19 08:36:30 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-10-03 07:53:40 +0000

    dev-java/snakeyaml: add 1.33 CVE-2022-3875{1,2}
    
    Bug: https://bugs.gentoo.org/868621
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 dev-java/snakeyaml/Manifest              |  1 +
 dev-java/snakeyaml/snakeyaml-1.33.ebuild | 74 ++++++++++++++++++++++++++++++++
 2 files changed, 75 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2022-10-12 20:02:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=010dc6c07ddc9a929644b88c8247d78ffea52452

commit 010dc6c07ddc9a929644b88c8247d78ffea52452
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-10-12 19:43:51 +0000
Commit:     Arthur Zamarin <arthurzam@gentoo.org>
CommitDate: 2022-10-12 20:02:05 +0000

    dev-java/snakeyaml: drop 1.30-r1
    
    Bug: https://bugs.gentoo.org/868621
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>

 dev-java/snakeyaml/Manifest                        |  1 -
 .../files/snakeyaml-1.30-fix-test-check.patch      | 18 -----
 dev-java/snakeyaml/snakeyaml-1.30-r1.ebuild        | 91 ----------------------
 3 files changed, 110 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-15 14:10:20 UTC
(In reply to John Helmert III from comment #0)
> CVE-2022-38749 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47024):
> https://bitbucket.org/snakeyaml/snakeyaml/issues/525/got-stackoverflowerror-
> for-many-open
> 
> Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of
> Service attacks (DOS). If the parser is running on user supplied input, an
> attacker may supply content that causes the parser to crash by stackoverflow.
> 
> CVE-2022-38750 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027):
> https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-
> 47027
> 
> Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of
> Service attacks (DOS). If the parser is running on user supplied input, an
> attacker may supply content that causes the parser to crash by stackoverflow.
> 
> CVE-2022-38751 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039):
> https://bitbucket.org/snakeyaml/snakeyaml/issues/530/stackoverflow-oss-fuzz-
> 47039
> 
> Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of
> Service attacks (DOS). If the parser is running on user supplied input, an
> attacker may supply content that causes the parser to crash by stackoverflow.
> 
> CVE-2022-38752 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081):
> https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-
> 47081
> 
> Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of
> Service attacks (DOS). If the parser is running on user supplied input, an
> attacker may supply content that causes the parser to crash by
> stack-overflow.
> 
> First two are fixed in 1.31, second two are unfixed.

According to:

https://bitbucket.org/snakeyaml/snakeyaml/issues/530/stackoverflow-oss-fuzz-47039
https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081

Fixes should be in 1.33
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 17:43:08 UTC
GLSA request filed