Bottles before 51.0 mishandles YAML load, which allows remote code execution via a crafted file. Description of the problem from the github page: The vulnerability arises from multiple potential exploitation vectors related to the YAML load function. The most probable method of exploitation is through the importation of a carefully crafted YAML file. This file can take the form of an archive tarball, a YAML configuration file, or a custom environment recipe. Additionally, there is a risk of remote code execution when an attacker gains control over the repository mirror.
Created bottles tracking bugs for this issue: Affects: fedora-all [bug 2210445]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
FEDORA-2023-328397d034 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.