Bugzilla – Bug 1226364
VUL-0: CVE-2024-35328: petsc: libyaml: denial of service in yaml_parser_parse of the file /src/libyaml/src/parser.c.
Last modified: 2024-06-19 10:37:36 UTC
+++ This bug was initially created as a clone of Bug #1226341 +++ libyaml v0.2.5 is vulnerable to DDOS. Affected by this issue is the function yaml_parser_parse of the file /src/libyaml/src/parser.c. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-35328 https://www.cve.org/CVERecord?id=CVE-2024-35328 https://github.com/idhyt/pocs/blob/main/libyaml/CVE-2024-35328.c https://bugzilla.redhat.com/show_bug.cgi?id=2292339
The 'DDOS' claimed in https://nvd.nist.gov/vuln/detail/CVE-2024-35328 is a bit of a dog-whistle in the context of petsc as the YAML needs to be passed either in an environment variable or from a file that gets specified on the command line. In the context of this I'd qualify this as a 'garden variety' bug. Furthermore, it is not relevant for any enterprise product as the latest version that has been shipped with SLE 15 (SP3) was 3.14.5. This version is not susceptible as it requires an external libyaml which is optional. We haven't enabled it. PETSc has been dropped from SLE since. The oS:Factory package is hopelessly outdated (3.18.5) and would require updating (current version 3.21.2). It should use an external libyaml which - if the devel package is provided during building - would be auto-detected. An update with the appropriated changes will be made, however with low priority.
Done - used time during meetings. SR#1181550.