RUSTSEC-2018-0006: Uncontrolled recursion leads to abort in deserialization

Question

Opened this issue 3 years ago · 1 comments

Uncontrolled recursion leads to abort in deserialization

Affected versions of this crate did not prevent deep recursion while
deserializing data structures.

This allows an attacker to make a YAML file with deeply nested structures
that causes an abort while deserializing it.

The flaw was corrected by checking the recursion depth.

Note: clap 2.33 is not affected by this because it uses yaml-rust
in a way that doesn't trigger the vulnerability. More specifically:

The input to the YAML parser is always trusted - is included at compile
time via include_str!.
The nesting level is never deep enough to trigger the overflow in practice
(at most 5).

See advisory page for additional details.

Answer 1 · 2021-07-31T21:46:14.000Z

Note: not related to the usage here, as we use it at compile time against one of the source file for clap.