Ubuntu.comUB:CVE-2024-3205CVE-2024-3205
A vulnerability was found in yaml libyaml up to 0.2.5 and classified as
critical. Affected by this issue is the function
yaml_emitter_emit_flow_sequence_item of the file
/src/libyaml/src/emitter.c. The manipulation leads to heap-based buffer
overflow. The attack may be launched remotely. The exploit has been
disclosed to the public and may be used. The identifier of this
vulnerability is VDB-259052. NOTE: The vendor was contacted early about
this disclosure but did not respond in any way.
Bugs
- <https://github.com/yaml/libyaml/issues/289>
- <https://github.com/yaml/libyaml/issues/258 (related?)>
Notes
| Author | Note |
|---|---|
| jdstrand | golang-goyaml is a go translation of libyaml and shouldn’t share implementation flaws, but may share design flaws |
| sbeattie | as of 2024-04-15, fix has not landed upstream. |
| mdeslaur | libyaml-libyaml-perl, golang-goyaml, and golang-yaml.v2 are unrelated codebases. This appears to be an issue with the fuzzer, not libyaml itself: https://github.com/yaml/libyaml/issues/258#issuecomment-2058613931 The libyaml project doesn’t think this CVE should be. Marking as not-affected. |
References
drive.google.com/drive/folders/1lwNEs8wqwkUV52f3uQNYMPrxRuXPtGQs?usp=sharing
launchpad.net/bugs/cve/CVE-2024-3205
nvd.nist.gov/vuln/detail/CVE-2024-3205
security-tracker.debian.org/tracker/CVE-2024-3205
vuldb.com/?ctiid.259052
vuldb.com/?id.259052
vuldb.com/?submit.304561
www.cve.org/CVERecord?id=CVE-2024-3205
Related
