RUSTSEC-2018-0006: Uncontrolled recursion leads to abort in deserialization #48

github-actions · 2020-07-05T00:30:00Z

Uncontrolled recursion leads to abort in deserialization

Details
Package	`yaml-rust`
Version	`0.3.5`
URL	chyh1990/yaml-rust#109
Date	2018-09-17
Patched versions	`>= 0.4.1`

Affected versions of this crate did not prevent deep recursion while
deserializing data structures.

This allows an attacker to make a YAML file with deeply nested structures
that causes an abort while deserializing it.

The flaw was corrected by checking the recursion depth.

See advisory page for additional details.

The text was updated successfully, but these errors were encountered:

notheotherben · 2020-07-05T22:19:34Z

This appears to be a dependency of [email protected] - so we'll need to wait until they update it (or switch to [email protected] when it becomes GA.

Since we're not using any of the YAML functionality within clap, this is likely not an issue for our use case.

notheotherben added a commit that referenced this issue Jul 5, 2020

chore: Update dependencies (#48, #49, #50)

fa53efe

notheotherben added the bug Something isn't working label Jul 5, 2020

notheotherben closed this as completed Jul 16, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RUSTSEC-2018-0006: Uncontrolled recursion leads to abort in deserialization #48

RUSTSEC-2018-0006: Uncontrolled recursion leads to abort in deserialization #48

github-actions bot commented Jul 5, 2020

notheotherben commented Jul 5, 2020

RUSTSEC-2018-0006: Uncontrolled recursion leads to abort in deserialization #48

RUSTSEC-2018-0006: Uncontrolled recursion leads to abort in deserialization #48

Comments

github-actions bot commented Jul 5, 2020

notheotherben commented Jul 5, 2020