Bug 1668108 (CVE-2019-6292) - CVE-2019-6292 yaml-cpp: DoS in singledocparser.cpp
Summary: CVE-2019-6292 yaml-cpp: DoS in singledocparser.cpp
Alias: CVE-2019-6292
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1694684 1676351 1676352 1676353 1678999 1679000 1694670 1694671 1694676 1694683
Blocks: 1665574
TreeView+ depends on / blocked
Reported: 2019-01-21 22:19 UTC by Laura Pardo
Modified: 2021-10-27 03:22 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-10-27 03:22:34 UTC

Attachments (Terms of Use)

Description Laura Pardo 2019-01-21 22:19:50 UTC
An issue was discovered in singledocparser.cpp in yaml-cpp (aka LibYaml-C++) 0.6.2. Stack Exhaustion occurs in YAML::SingleDocParser, and there is a stack consumption problem caused by recursive stack frames: HandleCompactMap, HandleMap, HandleFlowSequence, HandleSequence, HandleNode. Remote attackers could leverage this vulnerability to cause a denial-of-service via a cpp file.


Comment 3 Stefan Cornelius 2019-04-01 11:34:46 UTC
This is very likely a dupe of CVE-2018-20573.

Comment 6 Stefan Cornelius 2019-04-01 11:45:37 UTC
Created yaml-cpp tracking bugs for this issue:

Affects: epel-all [bug 1694684]
Affects: fedora-all [bug 1694683]

Comment 11 Yadnyawalk Tale 2020-08-11 14:37:04 UTC

This issue affects the versions of rh-mongodb32-yaml-cpp, rh-mongodb34-yaml-cpp, and rh-mongodb36-yaml-cpp as shipped with Red Hat Software Collections. However, this is only used to parse configuration files.

Red Hat Satellite 6.5 ship yaml-cpp however has been rated as a security impact of Low, product version Satellite 6.6 onward is not affected. Satellite 6.5 is in Maintenance Support phase of the product life cycle and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 6 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.

Note You need to log in before you can comment on or make changes to this bug.