CVE-2024-35329
Published: 11 June 2024
** DISPUTED ** libyaml 0.2.5 is vulnerable to a heap-based Buffer Overflow in yaml_document_add_sequence in api.c. NOTE: the supplier disputes this because the finding represents a user error. The problem is that the application, which was making use of the libyaml library, omitted the required calls to the yaml_document_initialize and yaml_document_delete functions.
Notes
| Author | Note |
|---|---|
| jdstrand |
golang-goyaml is a go translation of libyaml and shouldn't share implementation flaws, but may share design flaws |
| mdeslaur |
Per upstream developers, the PoC code is wrong and they will request that the CVE be rejected. This has now been rejected, marking as not-affected |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
golang-goyaml
Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
| jammy |
Does not exist
|
|
| mantic |
Does not exist
|
|
| noble |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
|
|
|
golang-yaml.v2
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| mantic |
Ignored
(end of life, was deferred [2024-06-19])
|
|
| noble |
Not vulnerable
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
|
|
|
libyaml
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| mantic |
Ignored
(end of life, was deferred [2024-06-19])
|
|
| noble |
Not vulnerable
|
|
| trusty |
Not vulnerable
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
|
|
|
libyaml-libyaml-perl
Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| mantic |
Ignored
(end of life, was deferred [2024-06-19])
|
|
| noble |
Not vulnerable
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
|