[Bug 1794692] Re: [MIR] [mir] yaml-cpp

Tue, 12 Feb 2019 20:16:09 -0800 

xnox, raof, many thanks for your replies earlier.

I've read through yaml-cpp and can see the benefits: it sticks to C++
things and is remarkably readable. There's a lot of tests.

But there's six CVEs that have been completely ignored. While at least
some of the CVEs wouldn't affect Mir's use (no one is going to feed Mir
a config file with a few thousand '{' or '[' characters) once it's in
main we'd need to assess issues from perspective of all consumers.

CVE-2017-11692 is extremely poor error handling.

https://github.com/jbeder/yaml-cpp/issues/519 CVE-2017-11692
https://github.com/jbeder/yaml-cpp/issues/459 CVE-2017-5950
https://github.com/jbeder/yaml-cpp/issues/655 CVE-2018-20573
https://github.com/jbeder/yaml-cpp/issues/654 CVE-2018-20574
https://github.com/jbeder/yaml-cpp/issues/660 CVE-2019-6285
https://github.com/jbeder/yaml-cpp/issues/657 CVE-2019-6292

FORTIFY_SOURCE is missing from the build logs.

I have to wonder if this package has seen sufficient real-world use.

Would the Mir team be in a position to work with upstream on addressing
these issues? If we accept yaml-cpp into main it'd be nice to have these
issues addressed before 20.04 LTS.

Thanks

** Bug watch added: github.com/jbeder/yaml-cpp/issues #519
   https://github.com/jbeder/yaml-cpp/issues/519

** Bug watch added: github.com/jbeder/yaml-cpp/issues #459
   https://github.com/jbeder/yaml-cpp/issues/459

** Bug watch added: github.com/jbeder/yaml-cpp/issues #655
   https://github.com/jbeder/yaml-cpp/issues/655

** Bug watch added: github.com/jbeder/yaml-cpp/issues #654
   https://github.com/jbeder/yaml-cpp/issues/654

** Bug watch added: github.com/jbeder/yaml-cpp/issues #660
   https://github.com/jbeder/yaml-cpp/issues/660

** Bug watch added: github.com/jbeder/yaml-cpp/issues #657
   https://github.com/jbeder/yaml-cpp/issues/657

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-20573

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-20574

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6285

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6292

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1794692

Title:
  [MIR] [mir] yaml-cpp

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/yaml-cpp/+bug/1794692/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to