RUSTSEC-2018-0006: Uncontrolled recursion leads to abort in deserialization #11
Assignees
Labels
dependencies
Pull requests that update a dependency file
help wanted
Extra attention is needed
security
About security concerns
Comments
imclint21
added
help wanted
|
This doesn't really affect us. The only yaml file read by clap is embedded in the binary, so unless the attacker modifies it there's no way that this bug can be triggered. Regardless of the low impact of this bug, this issue can be left open until we update clap to version 3 (not released yet), which doesn't have the problem anymore. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
yaml-rust0.3.5>= 0.4.1Affected versions of this crate did not prevent deep recursion while
deserializing data structures.
This allows an attacker to make a YAML file with deeply nested structures
that causes an abort while deserializing it.
The flaw was corrected by checking the recursion depth.
See advisory page for additional details.
The text was updated successfully, but these errors were encountered: