Bug#1019218: snakeyaml: CVE-2022-25857

[Salvatore Bonaccorso]

Hi Tony

Thanks for the update.

On Wed, Sep 28, 2022 at 08:30:07AM -0700, tony mancill wrote:
> On Tue, Sep 27, 2022 at 05:41:21PM +0200, Salvatore Bonaccorso wrote:
> > > snakeyaml 1.31 has been uploaded to unstable.  I will start work on
> > > 1.33, which addresses other non-DSA CVEs [1].
> 
> Hello Salvatore,
> 
> After reviewing the remaining CVEs more closely, I believe I missed
> documenting CVE-2022-38749 as resolved by the 1.31 upload.
> 
> CVE-2022-38749
> 
> https://nvd.nist.gov/vuln/detail/CVE-2022-38749 states that the issue
> exists in versions up to (excluding) 1.31, implying that it was addressed
> in 1.30.
> 
> The state of CVE-2022-38752 is more nuanced.
> 
> CVE-2022-38752
> 
> https://nvd.nist.gov/vuln/detail/CVE-2022-38752 states that the issue
> exists in versions up to (excluding) 1.32, implying that it was addressed
> in 1.31.  However, upstream [1] claims this as a false-positive and
> has addressed it by adding a unit-test [2] in 1.32.
> 
> Therefore, I don't believe version 1.31 is actually impacted.  However,
> in order to keep the security scanners happy and because upstream has
> done a lot of code reformatting between 1.31 and 1.33 (which would make
> porting future patches more difficult), I still intend update 1.33 after
> completing the usual vetting (r-deps build, japi-compliance-checker
> check, etc.)

We have to actually be quite cautious about the CVE descriptions. They
might not be accurate describing the affected versions and often only
reflect a given point in time. Not mentioning a version as affected
might just be that the version was not yet released or other reasons.
So when evaluation a CVE we can have the hints from the descriptions
but actually never rely on it but investigate based on the source,
issues, reports, etc.

That said, thanks for the above information, will try to look and as
needed then update accordingly the tracker.

Thank you!

Regards,
Salvatore