|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2024-35328: petsc: libyaml: denial of service in yaml_parser_parse of the file /src/libyaml/src/parser.c. | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Distribution | Reporter: | Camila Camargo de Matos <camila.matos> |
| Component: | Security | Assignee: | Security Team bot <security-team> |
| Status: | REOPENED --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P4 - Low | CC: | camila.matos, security-team, smash_bz |
| Version: | Leap 15.6 | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/410659/ | ||
| Whiteboard: | |||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | |||
| Bug Blocks: | 1226341 | ||
|
Description
Camila Camargo de Matos
2024-06-14 14:23:57 UTC
The 'DDOS' claimed in https://nvd.nist.gov/vuln/detail/CVE-2024-35328 is a bit of a dog-whistle in the context of petsc as the YAML needs to be passed either in an environment variable or from a file that gets specified on the command line. In the context of this I'd qualify this as a 'garden variety' bug. Furthermore, it is not relevant for any enterprise product as the latest version that has been shipped with SLE 15 (SP3) was 3.14.5. This version is not susceptible as it requires an external libyaml which is optional. We haven't enabled it. PETSc has been dropped from SLE since. The oS:Factory package is hopelessly outdated (3.18.5) and would require updating (current version 3.21.2). It should use an external libyaml which - if the devel package is provided during building - would be auto-detected. An update with the appropriated changes will be made, however with low priority. Done - used time during meetings. SR#1181550. |