Bug#1030046: Document snakeyaml security expectations
Moritz Muehlenhoff
jmm at debian.org
Mon Jan 30 17:44:51 GMT 2023
Source: snakeyaml
Version: 1.33-1
Severity: important
Google's oss-fuzz found various cases where snakeyaml triggers an exception
on malformed YAML input. These end up blindly being picked by various
security web sites (since CVE IDs) were assigned.
This is causing lots of overhead/annoyance for the upstream developers
(as voiced in https://bitbucket.org/snakeyaml/snakeyaml/issues/551/snakeyaml-cves-from-oss-fuzz)
and they released https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md
to document expectations.
Could we please add a README.Debian.security with something like the following
to make this also visible to users?
----
Note that snakeyaml isn't designed to operate on YAML data coming from untrusted
sources, in such cases you need to apply sanitising/exception handling yourself.
Please see https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md
for additional information.
----
Cheers,
Moritz
More information about the pkg-java-maintainers
mailing list