Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 738168 (CVE-2020-10289) - <dev-ros/actionlib-1.13.2: Use of unsafe YAML load (CVE-2020-10289)
Summary: <dev-ros/actionlib-1.13.2: Use of unsafe YAML load (CVE-2020-10289)
Status: RESOLVED FIXED
Alias: CVE-2020-10289
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/ros/actionlib/pull...
Whiteboard: ~2 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-20 09:05 UTC by Sam James
Modified: 2020-08-29 02:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-20 09:05:24 UTC 
Description:
"Use of unsafe yaml load. Allows instantiation of arbitrary objects. The flaw itself is caused by an unsafe parsing of YAML values which happens whenever an action message is processed to be sent, and allows for the creation of Python objects. Through this flaw in the ROS core package of actionlib, an attacker with local or remote access can make the ROS Master, execute arbitrary code in Python form. Consider yaml.safe_load() instead. Located first in actionlib/tools/library.py:132. See links for more info on the bug."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-20 09:06:25 UTC 
Please apply the linked patches if appropriate, if not we will wait.
Comment 2 Larry the Git Cow gentoo-dev 2020-08-25 12:37:39 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e823bbf28f1e0d4698e1ac780365b22eefd2b6cb

commit e823bbf28f1e0d4698e1ac780365b22eefd2b6cb
Author:     Alexis Ballier <aballier@gentoo.org>
AuthorDate: 2020-08-24 15:17:39 +0000
Commit:     Alexis Ballier <aballier@gentoo.org>
CommitDate: 2020-08-25 12:37:22 +0000

    dev-ros/actionlib_tools: bump to 1.13.2
    
    Bug: https://bugs.gentoo.org/738168
    Package-Manager: Portage-3.0.3, Repoman-3.0.0
    Signed-off-by: Alexis Ballier <aballier@gentoo.org>

 dev-ros/actionlib_tools/Manifest                                        | 2 +-
 .../{actionlib_tools-1.13.1.ebuild => actionlib_tools-1.13.2.ebuild}    | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-29 02:39:28 UTC 
Linked patches are in 1.13.2. Tree is clean, no stable versions, all done.