CVE-2024-3205
Published: 2 April 2024
A vulnerability was found in yaml libyaml up to 0.2.5 and classified as critical. Affected by this issue is the function yaml_emitter_emit_flow_sequence_item of the file /src/libyaml/src/emitter.c. The manipulation leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259052. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Notes
Author | Note |
---|---|
jdstrand | golang-goyaml is a go translation of libyaml and shouldn't share implementation flaws, but may share design flaws |
sbeattie | as of 2024-04-15, fix has not landed upstream. |
mdeslaur | libyaml-libyaml-perl, golang-goyaml, and golang-yaml.v2 are unrelated codebases. This appears to be an issue with the fuzzer, not libyaml itself: https://github.com/yaml/libyaml/issues/258#issuecomment-2058613931 The libyaml project doesn't think this CVE should be. Marking as not-affected. |
Priority
Status
Package | Release | Status |
---|---|---|
golang-goyaml Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
|
|
golang-yaml.v2 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
focal |
Not vulnerable
|
|
jammy |
Not vulnerable
|
|
mantic |
Not vulnerable
|
|
noble |
Not vulnerable
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
|
|
libyaml Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
focal |
Not vulnerable
|
|
jammy |
Not vulnerable
|
|
mantic |
Not vulnerable
|
|
noble |
Not vulnerable
|
|
trusty |
Not vulnerable
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
|
|
Patches: upstream: https://github.com/yaml/libyaml/pull/259 upstream: https://github.com/yaml/libyaml/pull/290 |
||
libyaml-libyaml-perl Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
focal |
Not vulnerable
|
|
jammy |
Not vulnerable
|
|
mantic |
Not vulnerable
|
|
noble |
Not vulnerable
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
|