This repository was archived by the owner on May 20, 2025. It is now read-only.
This repository was archived by the owner on May 20, 2025. It is now read-only.
RUSTSEC-2018-0006: Uncontrolled recursion leads to abort in deserialization #127
Closed
Description
Uncontrolled recursion leads to abort in deserialization
| Details | |
|---|---|
| Package | yaml-rust |
| Version | 0.3.5 |
| URL | chyh1990/yaml-rust#109 |
| Date | 2018-09-17 |
| Patched versions | >=0.4.1 |
Affected versions of this crate did not prevent deep recursion while
deserializing data structures.
This allows an attacker to make a YAML file with deeply nested structures
that causes an abort while deserializing it.
The flaw was corrected by checking the recursion depth.
Note: clap 2.33 is not affected by this because it uses yaml-rust
in a way that doesn't trigger the vulnerability. More specifically:
-
The input to the YAML parser is always trusted - is included at compile
time viainclude_str!. -
The nesting level is never deep enough to trigger the overflow in practice
(at most 5).
See advisory page for additional details.
Metadata
Metadata
Assignees
Labels
No labels