[MIR] [mir] yaml-cpp
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
yaml-cpp (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
[Availability]
Available in the Ubuntu archive and Debian; builds for all architectures.
[Rationale]
yaml-cpp is a new build- and runtime-dependency for Mir
[Security]
It's a library; installs no binaries, opens no ports, has no daemons.
Has had 2 CVEs in its history, both unfixed (both upstream and in Ubuntu):
https:/
https:/
As far as I can tell they're only DoS risks - the first is an assert() hit on a particular yaml construct, second is stack exhaustion via unbounded recursion on specially crafted input. Neither appear to allow an attacker to do anything other than crash the application using the library.
*Mir* doesn't use this library to parse untrusted input and in any case aborts during startup on failure to parse the configuration so we don't much care about them, but other users might.
(Edit: incorporating comment #2 for the ease of review)
[Quality assurance]
Package has no configuration.
Has no show-stopper bugs; correctly parses all the YAML we've thrown at it, and the upstream bugs are mostly not parse errors but requests for configurations we don't care about, extra features, and the like.
Package ships a test-suite, which is run on build.
Package ships a debian/watch (which is does not pick up the most recent upstream release in the Ubuntu package; this is fixed in Salsa git)
[Dependencies]
Build-time dependencies only on libstdc++ and boost; no runtime dependencies outside libstdc++.
[Standards compliance]
Package in Ubuntu is FHS compliant, and meets the (somewhat old) 3.9.8 policy.
[Maintenance]
Dormant in Debian for a while, but Salsa has a package updated to 0.6.2 and modern Standards-Version in git.
*Sigh* I guess I can be the one to maintain it in Ubuntu ☺. Subscribe me up!
[Background information]
A C++ YAML parser. Nothing particularly special.
CVE References
description: | updated |
Changed in yaml-cpp (Ubuntu): | |
status: | New → Fix Released |
Hi, /www.cvedetails .com/cve/ CVE-2017- 11692/ /www.cvedetails .com/cve/ CVE-2017- 5950/
FYI The current version 0.5.2-4ubuntu2 should be affected by
- https:/
- https:/
right?
On security review these might become a requirement to be fixed, so FYI ahead in case you want to fix them.