oss-sec mailing list archives
Re: Re: libyaml / YAML-LibYAML DoS
From: Jan Rusnacko <jrusnack () redhat com>
Date: Fri, 03 Apr 2015 10:17:30 +0200
On 11/28/2014 09:04 PM, cve-assign () mitre org wrote:
This Python code is apparently intended to correspond directly to the yaml_parser_save_simple_key C code. However, because it's in a different programming language, we would typically consider it a separate codebase, eligible for its own CVE IDs. Here, "assert self.allow_simple_key or not required" is not within the scope of CVE-2014-9130. One question is whether identifying a security-relevant DoS caused by an assert in C code means that there is also a security-relevant DoS caused by an assert in corresponding Python code. In other words, should the threat model be considered the same: the assert within scanner.c might cause an outage of a C application that was intended to remain available for processing YAML from other clients, and the assert within scanner.py might cause an outage of a Python application that was intended to remain available for processing YAML from other clients? Or should the latter be considered much less plausible? If the threat model is largely the same, we will assign a second CVE ID for the scanner.py issue.
Belated ping on this one - since I don`t see a separate CVE assigned for scanner.py, shall it be tracked under CVE-2014-9130, despite the above statement that it is not within it`s scope ? Statement on how to track this would be appreciated. -- Jan Rusnacko, Red Hat Product Security
Current thread:
- Re: Re: libyaml / YAML-LibYAML DoS Jan Rusnacko (Apr 03)