Bug 1785376 (CVE-2017-18640) - CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation
Summary: CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a ...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-18640
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1821739 1826310 1841044 1785377
Blocks: 1785379
TreeView+ depends on / blocked
 
Reported: 2019-12-19 19:24 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-06-17 16:34 UTC (History)
31 users (show)

Fixed In Version: snakeyaml 1.26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-02-14 16:27:51 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2603 None None None 2020-06-17 16:34:47 UTC

Description Guilherme de Almeida Suckevicz 2019-12-19 19:24:21 UTC
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Reference:
https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion

Comment 1 Guilherme de Almeida Suckevicz 2019-12-19 19:24:55 UTC
Created snakeyaml tracking bugs for this issue:

Affects: fedora-all [bug 1785377]

Comment 2 Alex Scheel 2019-12-19 22:43:42 UTC
What needs to be done here? Is there a specific patch that needs to be applied?

Upstream's position [0] seems to be that you need to be careful about what inputs you give to snakeyaml. From a snakeyaml packager POV, there's not much we can do if snakeyaml upstream won't fix it and we don't control how packages use snakeyaml downstream or upstream. Would rebasing F30 to 1.25 (like F31 and Rawhide are currently only) suffice, or is there something else required from us? Does 1.25 solve the issue? It isn't immediately clear. 


Otherwise I'm inclined to close the Fedora tracker with WONTFIX and point to the upstream wiki. 


[0]: https://bitbucket.org/asomov/snakeyaml/wiki/Billion%20laughs%20attack

Comment 3 Guilherme de Almeida Suckevicz 2019-12-23 13:59:50 UTC
Since upstream will not fix this issue, I assume that's OK to close this as WONTFIX.
You can wait the analysis from our side for more information.

Comment 4 Marco Benatto 2020-02-14 16:22:53 UTC
According the upstream bug entry, they are not considering this a security vulnerability and are not inclined to fix this issue. Given this scenario this bugwill be closed as WONTFIX.

Comment 5 Marco Benatto 2020-02-14 16:25:53 UTC
Statement:

The snakeyaml's upstream is not considering this a security vulnerability. Their justification is explained on the link contained on 'External References' field.

Comment 6 Marco Benatto 2020-02-14 16:25:57 UTC
External References:

https://bitbucket.org/asomov/snakeyaml/wiki/Billion%20laughs%20attack

Comment 10 errata-xmlrpc 2020-06-17 16:34:44 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus 1.3.4

Via RHSA-2020:2603 https://access.redhat.com/errata/RHSA-2020:2603


Note You need to log in before you can comment on or make changes to this bug.