From 6b10ce0976cbcb3d3fe5d1b47c89578349345e34 Mon Sep 17 00:00:00 2001 From: CreepySkeleton Date: Mon, 6 Jul 2020 18:59:19 +0300 Subject: [PATCH] Update yaml-rust advirsory to indicate clap as non-vulnerable (#331) --- crates/yaml-rust/RUSTSEC-2018-0006.toml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/crates/yaml-rust/RUSTSEC-2018-0006.toml b/crates/yaml-rust/RUSTSEC-2018-0006.toml index a8385c7..8c5e716 100644 --- a/crates/yaml-rust/RUSTSEC-2018-0006.toml +++ b/crates/yaml-rust/RUSTSEC-2018-0006.toml @@ -13,6 +13,15 @@ This allows an attacker to make a YAML file with deeply nested structures that causes an abort while deserializing it. The flaw was corrected by checking the recursion depth. + +Note: `clap 2.33` is not affected by this because it uses `yaml-rust` +in a way that doesn't trigger the vulnerability. More specifically: + +1. The input to the YAML parser is always trusted - is included at compile +time via `include_str!`. + +2. The nesting level is never deep enough to trigger the overflow in practice +(at most 5). """ aliases = ["CVE-2018-20993"]