Bug 1159488 (CVE-2017-18640) - VUL-0: CVE-2017-18640: snakeyaml: The Alias feature allows entity expansion during a load operation
Summary: VUL-0: CVE-2017-18640: snakeyaml: The Alias feature allows entity expansion d...
Status: RESOLVED FIXED
: 1186088 (view as bug list)
Alias: CVE-2017-18640
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/248814/
Whiteboard: CVSSv3.1:SUSE:CVE-2017-18640:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-12-18 16:49 UTC by Alexandros Toptsoglou
Modified: 2022-04-07 10:23 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Pedro Monreal Gonzalez 2020-01-03 08:55:43 UTC 
According to [0], upstream is not inclined to fix this and they point the user to be careful about the input, see [1]. This was addressed in the past and the test src/test/java/org/yaml/snakeyaml/issues/issue377/ReferencesTest.java was then introduced, see commit [2]. I would be inclined to close this as wontfix.

[0] https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion

[1] https://bitbucket.org/asomov/snakeyaml/wiki/Billion%20laughs%20attack

[2] https://bitbucket.org/asomov/snakeyaml/commits/04378d05777d21d114a9cdc24976ad49c8919222
Comment 2 Alexandros Toptsoglou 2020-01-21 18:21:23 UTC 
I tend to agree with you Pedro. Closing and feel free to re-open.
Comment 3 Gianluca Gabrielli 2021-05-17 10:52:21 UTC 
Hi Pedro,

After this issue was closed the upstream has published a patch [0]. Please consider applying it to the following packages:

- SUSE:SLE-12-SP3:Update:Products:Manager32:Update/snakeyaml      1.10
- SUSE:SLE-15-SP1:Update:Products:Manager40:Update/snakeyaml      1.10
- SUSE:SLE-15-SP2:Update:Products:Manager41:Update/snakeyaml      1.10
- SUSE:SLE-15-SP2:Update/snakeyaml                                1.25

openSUSE:Factory/snakeyaml is already up-to-date.

[0] https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37fa48110fa54ed8c
Comment 4 Gianluca Gabrielli 2021-05-17 10:54:55 UTC 
*** Bug 1186088 has been marked as a duplicate of this bug. ***
Comment 5 Pedro Monreal Gonzalez 2021-05-17 11:33:04 UTC 
It's great to see upstream finally came up with a patch for this CVE.

Note that fstrba is the bugowner in IBS and he has already submitted to SLE-15-SP2 here:
   https://build.suse.de/request/show/241249
Comment 6 Gianluca Gabrielli 2021-05-19 10:26:44 UTC 
Hi fstrba, could you also submit this patch to:

- SUSE:SLE-12-SP3:Update:Products:Manager32:Update/snakeyaml      1.10
- SUSE:SLE-15-SP1:Update:Products:Manager40:Update/snakeyaml      1.10
- SUSE:SLE-15-SP2:Update:Products:Manager41:Update/snakeyaml      1.10

Thanks
Comment 8 Swamp Workflow Management 2021-06-07 16:19:35 UTC 
SUSE-SU-2021:1876-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1159488,1186088
CVE References: CVE-2017-18640
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    snakeyaml-1.28-3.5.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    snakeyaml-1.28-3.5.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    snakeyaml-1.28-3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2021-06-08 10:18:21 UTC 
openSUSE-SU-2021:0855-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1159488,1186088
CVE References: CVE-2017-18640
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    snakeyaml-1.28-lp152.2.3.1
Comment 10 Swamp Workflow Management 2021-06-15 16:56:31 UTC 
SUSE-SU-2021:1979-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1159488,1186088
CVE References: CVE-2017-18640
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    snakeyaml-1.28-12.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2021-06-15 17:35:39 UTC 
SUSE-SU-2021:1978-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1159488,1186088
CVE References: CVE-2017-18640
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (src):    snakeyaml-1.28-12.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-07-11 13:51:50 UTC 
openSUSE-SU-2021:1876-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1159488,1186088
CVE References: CVE-2017-18640
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    snakeyaml-1.28-3.5.1
Comment 13 Petr Ostadal 2022-04-07 09:20:33 UTC 
fixed