|
|
Message-ID: <allVtdyGFI5A4mVX@pjcj.com>
Date: Fri, 17 Jul 2026 00:06:38 +0200
From: Paul Johnson <paul@...j.net>
To: cve-announce@...urity.metacpan.org, oss-security@...ts.openwall.com
Subject: CVE-2026-57077: YAML::Syck versions before 1.47 for Perl allow an
out-of-bounds read via an unbounded newline scan in newline_len
========================================================================
CVE-2026-57077 CPAN Security Group
========================================================================
CVE ID: CVE-2026-57077
Distribution: YAML-Syck
Versions: before 1.47
MetaCPAN: https://metacpan.org/dist/YAML-Syck
VCS Repo: https://github.com/toddr/YAML-Syck
YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read
via an unbounded newline scan in newline_len
Description
-----------
YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read
via an unbounded newline scan in newline_len.
In the bundled libsyck newline_len and is_newline dereference the scan
pointer, and the following byte for a "\r\n" pair, with no
NUL-terminator or bounds check. During block-scalar lexing at a
document boundary the scan runs one byte past the heap lexer buffer.
This is an incomplete fix of CVE-2025-11683, on a lexer path the
earlier fix did not cover.
Any caller that runs Load or LoadFile on an untrusted document with a
block scalar at a document boundary reaches the over-read.
Problem types
-------------
- CWE-125 Out-of-bounds Read
Solutions
---------
Upgrade to YAML-Syck 1.47 or later.
References
----------
https://metacpan.org/release/TODDR/YAML-Syck-1.47/changes
https://github.com/toddr/YAML-Syck/commit/44c90a109ec3215ee7ce747bd11209835e123d8b.patch
https://www.cve.org/CVERecord?id=CVE-2025-11683
--
Paul Johnson - paul@...j.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.