Closed zhuofeng6 closed 1 month ago
NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Is this pr to fix the CVE? https://github.com/yaml/libyaml/pull/259
Code:
Where exactly is this memory leak?
It's hard to review a PR if there is no reproducer I guess...
@perlpunk there's supposedly evidence in the fuzzing data https://drive.google.com/drive/folders/1lwNEs8wqwkUV52f3uQNYMPrxRuXPtGQs?usp=sharing
I haven't checked yet
At least I can download some files from the shared drive, but the two input files I can find there have nothing to do with flow sequences. Also seem to be broken. This is one of the files (I removed some broken stuff at the beginning that the parser complained about):
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --- - - -- - - - - - - - - - - - - - - - - - - - -- - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - - - - - -- -
Please see my notes in #258 how I tried to reproduce (and failed)
I think this can only be a bug, not a cve. After all, it's common.
What do you think, my brother @perlpunk
brother?
Please see my latest comment here: https://github.com/yaml/libyaml/issues/258#issuecomment-2058613931 I believe it's not a libyaml vulnerability or bug.
I contacted VulDB and https://www.cve.org/CVERecord?id=CVE-2024-3205 has been rejected now. Closing.
https://nvd.nist.gov/vuln/detail/CVE-2024-3205