Bug 1668108 (CVE-2019-6292)

Summary: CVE-2019-6292 yaml-cpp: DoS in singledocparser.cpp
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: apevec, hhorak, jjoyce, jschluet, lhh, lpeer, mburns, sclewis, slinaber
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 03:22:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1694684, 1676351, 1676352, 1676353, 1678999, 1679000, 1694670, 1694671, 1694676, 1694683    
Bug Blocks: 1665574    

Description Laura Pardo 2019-01-21 22:19:50 UTC 
An issue was discovered in singledocparser.cpp in yaml-cpp (aka LibYaml-C++) 0.6.2. Stack Exhaustion occurs in YAML::SingleDocParser, and there is a stack consumption problem caused by recursive stack frames: HandleCompactMap, HandleMap, HandleFlowSequence, HandleSequence, HandleNode. Remote attackers could leverage this vulnerability to cause a denial-of-service via a cpp file.


References
https://github.com/jbeder/yaml-cpp/issues/657
Comment 3 Stefan Cornelius 2019-04-01 11:34:46 UTC 
This is very likely a dupe of CVE-2018-20573.
Comment 6 Stefan Cornelius 2019-04-01 11:45:37 UTC 
Created yaml-cpp tracking bugs for this issue:

Affects: epel-all [bug 1694684]
Affects: fedora-all [bug 1694683]
Comment 11 Yadnyawalk Tale 2020-08-11 14:37:04 UTC 
Statement:

This issue affects the versions of rh-mongodb32-yaml-cpp, rh-mongodb34-yaml-cpp, and rh-mongodb36-yaml-cpp as shipped with Red Hat Software Collections. However, this is only used to parse configuration files.

Red Hat Satellite 6.5 ship yaml-cpp however has been rated as a security impact of Low, product version Satellite 6.6 onward is not affected. Satellite 6.5 is in Maintenance Support phase of the product life cycle and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 6 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.