CVE-2024-35326, CVE-2024-35328, CVE-2024-35329

[perlpunk]

The following CVEs I do not consider as vulnerabilties:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35326 https://github.com/idhyt/pocs/blob/main/libyaml/CVE-2024-35326.c
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35328 https://github.com/idhyt/pocs/blob/main/libyaml/CVE-2024-35328.c
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35329 https://github.com/idhyt/pocs/blob/main/libyaml/CVE-2024-35329.c

They are all missing to initialize structs with the according proper functions for that, so there doesn't exist any working code that could be exploited. I already contacted mitre.org for CVE-2024-35329 over a month ago to reject this, but no reply :(

There has already been some discussion in #298 but I decided to create a new issue because the thread is hard to read because of the discussion of how those CVEs were (not) reported and published.

[hasufell]

I'm starting to think someone is abusing the CVE process to spam maintainers with low quality bug reports.

[zhuofeng6]

CVE-2024-35326, CVE-2024-35328 Did these two cve rejects, to nvd

[rsbeckerca]

Other projects have experienced this spam. Mitre responded appropriately to one in curl (IIRC) but they seem to act very slowly.

[rsbeckerca]

I have a pull request #305 that might close out issues with #302, specifically CVE-2024-35326. Even with the reject, a little defensive coding rarely hurts.

[openmorse]

The above CVEs are REJECTED now (not security issues) https://www.cve.org/CVERecord?id=CVE-2024-35326 https://www.cve.org/CVERecord?id=CVE-2024-35328 https://www.cve.org/CVERecord?id=CVE-2024-35329