** Description changed: [Availability] Available in the Ubuntu archive and Debian; builds for all architectures. [Rationale] yaml-cpp is a new build- and runtime-dependency for Mir [Security] It's a library; installs no binaries, opens no ports, has no daemons. + Has had 2 CVEs in its history, both unfixed (both upstream and in Ubuntu): + https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-11692.html + https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5950.html + + As far as I can tell they're only DoS risks - the first is an assert() + hit on a particular yaml construct, second is stack exhaustion via + unbounded recursion on specially crafted input. Neither appear to allow + an attacker to do anything other than crash the application using the + library. + + *Mir* doesn't use this library to parse untrusted input and in any case + aborts during startup on failure to parse the configuration so we don't + much care about them, but other users might. + + (Edit: incorporating comment #2 for the ease of review) + [Quality assurance] - Package has no configuration. + Package has no configuration. Has no show-stopper bugs; correctly parses all the YAML we've thrown at it, and the upstream bugs are mostly not parse errors but requests for configurations we don't care about, extra features, and the like. Package ships a test-suite, which is run on build. Package ships a debian/watch (which is does not pick up the most recent upstream release in the Ubuntu package; this is fixed in Salsa git) [Dependencies] Build-time dependencies only on libstdc++ and boost; no runtime dependencies outside libstdc++. [Standards compliance] Package in Ubuntu is FHS compliant, and meets the (somewhat old) 3.9.8 policy. [Maintenance] Dormant in Debian for a while, but Salsa has a package updated to 0.6.2 and modern Standards-Version in git. *Sigh* I guess I can be the one to maintain it in Ubuntu ☺. Subscribe me up! [Background information] A C++ YAML parser. Nothing particularly special.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794692 Title: [MIR] yaml-cpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/yaml-cpp/+bug/1794692/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
