CVE-2024-35329

2024-06-1100:00:00

ubuntu.com

libyaml 0.2.5

buffer overflow

yaml_document_add_sequence

golang-goyaml

design flaws

poc code

cve-2024-35329

unix

7.2 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

libyaml 0.2.5 is vulnerable to a heap-based Buffer Overflow in
yaml_document_add_sequence in api.c. NOTE: the supplier disputes this
because the finding represents a user error. The problem is that the
application, which was making use of the libyaml library, omitted the
required calls to the yaml_document_initialize and yaml_document_delete
functions.

Bugs

<https://github.com/yaml/libyaml/issues/298>

Notes

Author	Note
jdstrand	golang-goyaml is a go translation of libyaml and shouldn’t share implementation flaws, but may share design flaws
mdeslaur	Per upstream developers, the PoC code is wrong and they will request that the CVE be rejected. Marking as deferred until it is, just to make sure.

OSVersionArchitecturePackageVersionFilename
ubuntu16.04noarchgolang-goyaml< anyUNKNOWN
ubuntu18.04noarchgolang-yaml.v2< anyUNKNOWN
ubuntu20.04noarchgolang-yaml.v2< anyUNKNOWN
ubuntu22.04noarchgolang-yaml.v2< anyUNKNOWN
ubuntu23.10noarchgolang-yaml.v2< anyUNKNOWN
ubuntu24.04noarchgolang-yaml.v2< anyUNKNOWN
ubuntu16.04noarchgolang-yaml.v2< anyUNKNOWN
ubuntu18.04noarchlibyaml< anyUNKNOWN
ubuntu20.04noarchlibyaml< anyUNKNOWN
ubuntu22.04noarchlibyaml< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	16.04	noarch	golang-goyaml	< any	UNKNOWN
ubuntu	18.04	noarch	golang-yaml.v2	< any	UNKNOWN
ubuntu	20.04	noarch	golang-yaml.v2	< any	UNKNOWN
ubuntu	22.04	noarch	golang-yaml.v2	< any	UNKNOWN
ubuntu	23.10	noarch	golang-yaml.v2	< any	UNKNOWN
ubuntu	24.04	noarch	golang-yaml.v2	< any	UNKNOWN
ubuntu	16.04	noarch	golang-yaml.v2	< any	UNKNOWN
ubuntu	18.04	noarch	libyaml	< any	UNKNOWN
ubuntu	20.04	noarch	libyaml	< any	UNKNOWN
ubuntu	22.04	noarch	libyaml	< any	UNKNOWN