Bug 1159488 (CVE-2017-18640)

Summary:	VUL-0: CVE-2017-18640: snakeyaml: The Alias feature allows entity expansion during a load operation
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Alexandros Toptsoglou <atoptsoglou>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	fstrba, gianluca.gabrielli, pmonrealgonzalez, postadal, rpm, smash_bz
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/248814/
Whiteboard:	CVSSv3.1:SUSE:CVE-2017-18640:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Alexandros Toptsoglou 2019-12-18 16:49:30 UTC

CVE-2017-18640

The Alias feature in SnakeYAML 1.18 allows entity expansion during a load
operation, a related issue to CVE-2003-1564.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18640
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18640.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640
https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion
https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.25/usages

Comment 1 Pedro Monreal Gonzalez 2020-01-03 08:55:43 UTC

According to [0], upstream is not inclined to fix this and they point the user to be careful about the input, see [1]. This was addressed in the past and the test src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java was then introduced, see commit [2]. I would be inclined to close this as wontfix.

[0] https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion

[1] https://bitbucket.org/asomov/snakeyaml/wiki/Billion%20laughs%20attack

[2] https://bitbucket.org/asomov/snakeyaml/commits/04378d05777d21d114a9cdc24976ad49c8919222

Comment 2 Alexandros Toptsoglou 2020-01-21 18:21:23 UTC

I tend to agree with you Pedro. Closing and feel free to re-open.

Comment 3 Gianluca Gabrielli 2021-05-17 10:52:21 UTC

Hi Pedro,

After this issue was closed the upstream has published a patch [0]. Please consider applying it to the following packages:

- SUSE:SLE-12-SP3:Update:Products:Manager32:Update/snakeyaml      1.10
- SUSE:SLE-15-SP1:Update:Products:Manager40:Update/snakeyaml      1.10
- SUSE:SLE-15-SP2:Update:Products:Manager41:Update/snakeyaml      1.10
- SUSE:SLE-15-SP2:Update/snakeyaml                                1.25

openSUSE:Factory/snakeyaml is already up-to-date.

[0] https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37fa48110fa54ed8c

Comment 4 Gianluca Gabrielli 2021-05-17 10:54:55 UTC

*** Bug 1186088 has been marked as a duplicate of this bug. ***

Comment 5 Pedro Monreal Gonzalez 2021-05-17 11:33:04 UTC

It's great to see upstream finally came up with a patch for this CVE.

Note that fstrba is the bugowner in IBS and he has already submitted to SLE-15-SP2 here:
   https://build.suse.de/request/show/241249

Comment 6 Gianluca Gabrielli 2021-05-19 10:26:44 UTC

Hi fstrba, could you also submit this patch to:

- SUSE:SLE-12-SP3:Update:Products:Manager32:Update/snakeyaml      1.10
- SUSE:SLE-15-SP1:Update:Products:Manager40:Update/snakeyaml      1.10
- SUSE:SLE-15-SP2:Update:Products:Manager41:Update/snakeyaml      1.10

Thanks

Comment 8 Swamp Workflow Management 2021-06-07 16:19:35 UTC

SUSE-SU-2021:1876-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1159488,1186088
CVE References: CVE-2017-18640
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    snakeyaml-1.28-3.5.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    snakeyaml-1.28-3.5.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    snakeyaml-1.28-3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2021-06-08 10:18:21 UTC

openSUSE-SU-2021:0855-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1159488,1186088
CVE References: CVE-2017-18640
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    snakeyaml-1.28-lp152.2.3.1

Comment 10 Swamp Workflow Management 2021-06-15 16:56:31 UTC

SUSE-SU-2021:1979-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1159488,1186088
CVE References: CVE-2017-18640
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    snakeyaml-1.28-12.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Swamp Workflow Management 2021-06-15 17:35:39 UTC

SUSE-SU-2021:1978-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1159488,1186088
CVE References: CVE-2017-18640
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (src):    snakeyaml-1.28-12.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Swamp Workflow Management 2021-07-11 13:51:50 UTC

openSUSE-SU-2021:1876-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1159488,1186088
CVE References: CVE-2017-18640
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    snakeyaml-1.28-3.5.1

Comment 13 Petr Ostadal 2022-04-07 09:20:33 UTC

fixed