Bugzilla – Bug 1226356
VUL-0: CVE-2024-35325: python-ruamel.yaml.clib: libyaml: double-free in yaml_event_delete in /src/libyaml/src/api.c
Last modified: 2024-07-01 06:40:58 UTC
+++ This bug was initially created as a clone of Bug #1226342 +++ A vulnerability was found in libyaml up to 0.2.5. Affected by this issue is the function yaml_event_delete of the file /src/libyaml/src/api.c. The manipulation leads to a double-free. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-35325 https://www.cve.org/CVERecord?id=CVE-2024-35325 https://github.com/idhyt/pocs/blob/main/libyaml/CVE-2024-35325.c https://bugzilla.redhat.com/show_bug.cgi?id=2292350
See bug #1226342 for a reference link which is the upstream GitHub issue where this possible vulnerability is being discussed.
Possibly not a bug, upstream discussion can be found here: https://github.com/yaml/libyaml/issues/298
The code snippet uses the API in a wrong way, calling yaml_event_delete which shouldn't be called. The correct usage is documented here: https://pyyaml.org/wiki/LibYAML In the emitter example there is no usage of yaml_event_delete. yaml_emitter_delete will delete the events itself. See the discussion here: https://github.com/yaml/libyaml/issues/297 I've reviewed the embed code in the package and is not affected at all because it is using the API in the correct way.