CVE-2024-3205

Published: 2 April 2024

A vulnerability was found in yaml libyaml up to 0.2.5 and classified as critical. Affected by this issue is the function yaml_emitter_emit_flow_sequence_item of the file /src/libyaml/src/emitter.c. The manipulation leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259052. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Notes

golang-goyaml is a go translation of libyaml and shouldn't share
implementation flaws, but may share design flaws

as of 2024-04-15, fix has not landed upstream.

libyaml-libyaml-perl, golang-goyaml, and golang-yaml.v2 are
unrelated codebases.

This appears to be an issue with the fuzzer, not libyaml itself:
https://github.com/yaml/libyaml/issues/258#issuecomment-2058613931

The libyaml project doesn't think this CVE should be. Marking as
not-affected.

Status

References

• https://vuldb.com/?id.259052
• https://vuldb.com/?ctiid.259052
• https://vuldb.com/?submit.304561
• https://drive.google.com/drive/folders/1lwNEs8wqwkUV52f3uQNYMPrxRuXPtGQs?usp=sharing
• https://www.cve.org/CVERecord?id=CVE-2024-3205
• NVD
• Launchpad
• Debian

Bugs

• https://github.com/yaml/libyaml/issues/289
• https://github.com/yaml/libyaml/issues/258 (related?)