Tina Müller (tinita)
Tina Müller (tinita)
I think sorting by default is reasonable. All perl5 YAML modules do this. If a language supports remembering key order from loading, like for example Python 3.7, then it's different...
@Tyil I will implement that for perl5 YAML::PP with Tie::IxHash. Is there something similar in perl 6?
> Afais, without an upstream patch, the only way to avoid it is to reject yaml flow style before passing it to the C parser. I doubt any library user...
It is a libyaml issue, but https://github.com/yaml/libyaml/pull/290 should mitigate it. And the POP from the empty stack only happened when using canonical mode in the emitter, which is very rare.
I had a closer look at the libyaml and the fuzzer code and think there is nothing to exploit. see my comment here: https://github.com/yaml/libyaml/issues/258#issuecomment-2058613931
FYI: I'm currently trying to get the CVE rejected. Hopefully I contacted the right people.
The CVE is now rejected: https://www.cve.org/CVERecord?id=CVE-2024-3205
The versions are shown here: https://matrix.yaml.info/processors.html The links are probably not very recognizable as links. Maybe I should underline them?
A related question: if `sass` actually fails, how can we react to it? We see the error in the log, but the webserver is started anyway.
With the trace option we were able to find out the problem. The latest bootstrap css seems to use features that ruby sass isn't prepared for. See https://progress.opensuse.org/issues/162311#note-21 ff. We...