Bugzilla – Bug 1226352
VUL-0: CVE-2024-35328: python-ruamel.yaml: libyaml: denial of service in yaml_parser_parse of the file /src/libyaml/src/parser.c.
Last modified: 2024-07-01 06:40:34 UTC
+++ This bug was initially created as a clone of Bug #1226341 +++ libyaml v0.2.5 is vulnerable to DDOS. Affected by this issue is the function yaml_parser_parse of the file /src/libyaml/src/parser.c. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-35328 https://www.cve.org/CVERecord?id=CVE-2024-35328 https://github.com/idhyt/pocs/blob/main/libyaml/CVE-2024-35328.c https://bugzilla.redhat.com/show_bug.cgi?id=2292339
See bug #1226341 for a reference link which is the upstream GitHub issue where this possible vulnerability is being discussed.
Possibly not a bug, upstream discussion can be found here: https://github.com/yaml/libyaml/issues/298
The code snippet uses the API in a wrong way, calling yaml_parser_pars without initializing the parser with yaml_parser_initialize. The correct usage is documented here: https://pyyaml.org/wiki/LibYAML I've reviewed the embed code in the package and is not affected at all because it is using the API in the correct way. The parsere class initializes the internal yaml parser in the constructor before any usage