libyaml 0.2.5 is vulnerable to a heap-based Buffer Overflow in
yaml_document_add_sequence in api.c. NOTE: the supplier disputes this
because the finding represents a user error. The problem is that the
application, which was making use of the libyaml library, omitted the
required calls to the yaml_document_initialize and yaml_document_delete
functions.
Bugs
Notes
Author |
Note |
jdstrand |
golang-goyaml is a go translation of libyaml and shouldn’t share implementation flaws, but may share design flaws |
mdeslaur |
Per upstream developers, the PoC code is wrong and they will request that the CVE be rejected. Marking as deferred until it is, just to make sure. |