Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Yaml has security issue #1854

Closed
yaa110 opened this issue Apr 23, 2020 · 3 comments
Closed

Yaml has security issue #1854

yaa110 opened this issue Apr 23, 2020 · 3 comments
Labels
C-bug Category: Updating dependencies

Comments

@yaa110
Copy link

yaa110 commented Apr 23, 2020

ID:       RUSTSEC-2018-0006
Crate:    yaml-rust
Version:  0.3.5
Date:     2018-09-17
URL:      https://rustsec.org/advisories/RUSTSEC-2018-0006
Title:    Uncontrolled recursion leads to abort in deserialization
Solution:  upgrade to >= 0.4.1
Dependency tree: 
yaml-rust 0.3.5
└── clap 2.33.0
@yaa110 yaa110 added the C-bug Category: Updating dependencies label Apr 23, 2020
@yaa110 yaa110 changed the title Yaml dependency has security issue Yaml has security issue Apr 23, 2020
@pksunkara
Copy link
Member

Duplicate of #1569

@pksunkara pksunkara marked this as a duplicate of #1569 Apr 23, 2020
@CreepySkeleton
Copy link
Contributor

Yes, we know about it. But it's not a security issue because

  1. yaml-rust ever receives only trusted input from clap. Those .yml files are included via include_str! at compile time. There's simply no avenue of attack to exploit.
  2. As much as we would be willing to simply bump the version, it wouldn't be backward compatible because some types from yaml-rust occur in clap 2.x public API. The old dependency is 0.3, the fixed one is 0.4. Bumping it would break old code for no real benefit (see 1). For the record: this is fixed in master, clap 0.3 will not be depending on the vulnerable version.

That said, this is a false positive. @yaa110 would it be possible to mention this comment on https://rustsec.org/?

@yaa110
Copy link
Author

yaa110 commented Apr 23, 2020

@CreepySkeleton The problem is that the CI (cargo audit) is failed due to security issue of yaml-rust.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
C-bug Category: Updating dependencies
Projects
None yet
Development

No branches or pull requests

3 participants