766228 – (CVE-2020-14343) <dev-python/pyyaml-5.4: Deserialization vulnerability (CVE-2020-14343)

Bug 766228 (CVE-2020-14343) - <dev-python/pyyaml-5.4: Deserialization vulnerability (CVE-2020-14343)

Summary: <dev-python/pyyaml-5.4: Deserialization vulnerability (CVE-2020-14343)

Status:	RESOLVED FIXED

Alias:	CVE-2020-14343

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [glsa+]
Keywords:

Depends on:
Blocks:

Reported:	2021-01-20 01:31 UTC by Sam James
Modified:	2024-02-26 15:46 UTC (History)
CC List:	2 users (show)

See Also:	CVE-2020-1747
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-01-20 01:31:49 UTC

"A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747."

Comment 1 Larry the Git Cow gentoo-dev

2021-01-20 01:35:18 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e095455ebcf69605fe4f34332176da8198e7e333

commit e095455ebcf69605fe4f34332176da8198e7e333
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-01-20 01:35:12 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-20 01:35:12 +0000

    dev-python/pyyaml: security bump to 5.4
    
    Bug: https://bugs.gentoo.org/766228
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-python/pyyaml/Manifest          |  1 +
 dev-python/pyyaml/pyyaml-5.4.ebuild | 49 +++++++++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2021-01-20 23:02:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fa1134a0a3e13f71d47fe7d3b84590e96eb1be16

commit fa1134a0a3e13f71d47fe7d3b84590e96eb1be16
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-01-20 23:01:57 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-20 23:02:03 +0000

    dev-python/pyyaml: bump to 5.4.1
    
    Bug: https://bugs.gentoo.org/766228
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-python/pyyaml/Manifest                                   | 2 +-
 dev-python/pyyaml/{pyyaml-5.4.ebuild => pyyaml-5.4.1.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)

Comment 3 Agostino Sarubbo gentoo-dev

2021-01-22 16:55:00 UTC

amd64 stable

Comment 4 Sam James archtester

2021-01-22 22:29:17 UTC

sparc done

Comment 5 Sam James archtester

2021-01-24 04:33:08 UTC

s390 done

Comment 6 Agostino Sarubbo gentoo-dev

2021-01-24 12:12:15 UTC

x86 stable

Comment 7 Sam James archtester

2021-01-24 13:33:36 UTC

ppc64 done

Comment 8 Sam James archtester

2021-01-24 20:07:02 UTC

ppc done

Comment 9 Sam James archtester

2021-01-24 20:07:20 UTC

arm done

Comment 10 Sam James archtester

2021-01-24 21:52:10 UTC

arm64 done

Comment 11 Rolf Eike Beer archtester

2021-02-08 09:16:22 UTC

hppa already stable

Comment 12 John Helmert III archtester

2021-02-08 14:04:19 UTC

Please cleanup

Comment 13 John Helmert III archtester

2021-07-11 02:53:01 UTC

Ping

Comment 14 NATTkA bot gentoo-dev

2021-07-29 17:24:23 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 15 NATTkA bot gentoo-dev

2021-07-29 17:32:53 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 16 NATTkA bot gentoo-dev

2021-07-29 17:40:45 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 17 NATTkA bot gentoo-dev

2021-07-29 17:48:55 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 18 NATTkA bot gentoo-dev

2021-07-29 18:04:51 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 19 NATTkA bot gentoo-dev

2021-07-29 18:13:08 UTC

Package list is empty or all packages have requested keywords.

Comment 20 Michał Górny archtester

2022-06-12 05:33:03 UTC

Can we close this now?

Comment 21 Larry the Git Cow gentoo-dev

2024-02-26 15:45:16 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=e549b151411e283e5129e0b82b21b1fc7c93bcd7

commit e549b151411e283e5129e0b82b21b1fc7c93bcd7
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-02-26 15:44:41 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-02-26 15:45:06 +0000

    [ GLSA 202402-33 ] PyYAML: Arbitrary Code Execution
    
    Bug: https://bugs.gentoo.org/766228
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202402-33.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)