Bug#1030046: Document snakeyaml security expectations
On Mon, Jan 30, 2023 at 10:15:47PM +0100, Markus Koschany wrote: > Hi, > > Am Montag, dem 30.01.2023 um 18:44 +0100 schrieb Moritz Muehlenhoff: > > > > Could we please add a README.Debian.security with something like the > > following > > to make this also visible to users? > > > > > > Note that snakeyaml isn't designed to operate on YAML data coming from > > untrusted > > sources, in such cases you need to apply sanitising/exception handling > > yourself. > > > > Please see https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md > > for additional information. > > > > Sure, that's doable. But how do we treat the current and new CVE in stable and > oldstable releases? no-dsa, ignored or keep them open until upstream > eventually > fixes them? Good question! How about we ship whatever is currently fixed upstream in LTS/ Bullseye 11.7 and ship such a README.Debian.security alongside, then we can just as well apply to all further/future snakeyaml issues and mark them as (unimportant) ? Cheers, Moritz
Bug#1030046: Document snakeyaml security expectations
Hi, Am Montag, dem 30.01.2023 um 18:44 +0100 schrieb Moritz Muehlenhoff: > > Could we please add a README.Debian.security with something like the > following > to make this also visible to users? > > > Note that snakeyaml isn't designed to operate on YAML data coming from > untrusted > sources, in such cases you need to apply sanitising/exception handling > yourself. > > Please see https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md > for additional information. > Sure, that's doable. But how do we treat the current and new CVE in stable and oldstable releases? no-dsa, ignored or keep them open until upstream eventually fixes them? Cheers, Markus signature.asc Description: This is a digitally signed message part
Bug#1030046: Document snakeyaml security expectations
Source: snakeyaml Version: 1.33-1 Severity: important Google's oss-fuzz found various cases where snakeyaml triggers an exception on malformed YAML input. These end up blindly being picked by various security web sites (since CVE IDs) were assigned. This is causing lots of overhead/annoyance for the upstream developers (as voiced in https://bitbucket.org/snakeyaml/snakeyaml/issues/551/snakeyaml-cves-from-oss-fuzz) and they released https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md to document expectations. Could we please add a README.Debian.security with something like the following to make this also visible to users? Note that snakeyaml isn't designed to operate on YAML data coming from untrusted sources, in such cases you need to apply sanitising/exception handling yourself. Please see https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md for additional information. Cheers, Moritz
