Trivial Untrusted DoS vuln #18
Comments
|
Confirmed on master as well. |
|
I've manually reduced the pattern-space, and have some eunit tests. It seems wise to consider QuickCheck/Mini, PropEr or other property/type fuzzing because YAML is complex and difficult to get right (400+ hits on CVEMITRE). |
|
Hi! Thank you for doing this analysis. You can reach me at one of the uids of my PGP key. |
|
Will do daytime. Looked at QuickCheck Mini* for property testing. Fuzzing utf8/16/32, lexical, syntactic and document levels seems to make sense. * EULA is short isn't too awful (not BSD) and the reducer is superior compared to triq and PropEr. |
|
Email sent. |
|
Here's an expanded EUnit test for this issue (deep-link to a private repo) |
|
LGTM (tested, couldn't break it) 🍻 Thanks for releasing too. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Version 0.4.0. This means affecting hex packages and other packages like yaml_elixir.
Impact Launching observer, it shows consuming all CPU by running in infinite loop and growing memory without bound.
Vuln For responsible disclosure practices, an email address with an associated GPG public key (maybe one of these) is needed to transfer specifics. If no reply is made, it will be publicly disclosed 2 months from today.
The text was updated successfully, but these errors were encountered: