Bug 714182 (CVE-2020-1747)

Summary:	<dev-python/pyyaml-5.3.1: (further) insufficient restrictions on full_load function (CVE-2020-1747)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	mgorny, python
Priority:	Normal	Keywords:	STABLEREQ
Version:	unspecified	Flags:	stable-bot: sanity-check+
Hardware:	All
OS:	Linux
URL:	https://github.com/yaml/pyyaml/pull/386
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=710658 https://bugs.gentoo.org/show_bug.cgi?id=766228
Whiteboard:	B3 [noglsa cve]
Package list:	dev-python/pyyaml-5.3.1	Runtime testing required:	---

Description Sam James archtester

2020-03-24 15:00:40 UTC

Description:
"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor."

Patch: https://github.com/yaml/pyyaml/commit/5080ba513377b6355a0502104846ee804656f1e0

Comment 1 Sam James archtester

2020-03-24 15:02:12 UTC

@maintainer(s), please advise if 5.3.1 is ready for stabilisation, or call yourself.

Comment 2 Michał Górny archtester

2020-03-24 15:32:26 UTC

It's a minor release, so I suppose we can stabilize it earlier.

Comment 3 Sam James archtester

2020-03-24 15:34:43 UTC

(In reply to Michał Górny from comment #2)
> It's a minor release, so I suppose we can stabilize it earlier.

Thanks for the quick response.

Comment 4 Mikle Kolyada (RETIRED) archtester

2020-03-26 14:08:06 UTC

SuperH port disbanded.

Comment 5 Agostino Sarubbo gentoo-dev

2020-03-26 14:12:11 UTC

arm stable

Comment 6 Agostino Sarubbo gentoo-dev

2020-03-26 14:12:48 UTC

ppc stable

Comment 7 Agostino Sarubbo gentoo-dev

2020-03-26 14:13:24 UTC

ppc64 stable

Comment 8 Agostino Sarubbo gentoo-dev

2020-03-26 14:13:59 UTC

s390 stable

Comment 9 Agostino Sarubbo gentoo-dev

2020-03-26 14:14:33 UTC

sparc stable

Comment 10 Agostino Sarubbo gentoo-dev

2020-03-26 14:15:17 UTC

x86 stable

Comment 11 Agostino Sarubbo gentoo-dev

2020-03-27 13:29:19 UTC

amd64 stable

Comment 12 Mart Raudsepp gentoo-dev

2020-03-28 22:48:26 UTC

arm64 stable

Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev

2020-03-28 22:51:03 UTC

commit b4d062b92cd0ac405468a7ed8d553dd206c5b4a7
Author: Rolf Eike Beer <eike@sf-mail.de>
Date:   Fri Mar 27 08:38:42 2020 +0100

    dev-python/pyyaml: stable 5.3.1 for hppa, bug #714182

Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev

2020-03-29 17:26:27 UTC

ia64 stable

Comment 15 Sergei Trofimovich (RETIRED) gentoo-dev

2020-04-21 07:15:13 UTC

m68k dropped stable keywords

Comment 16 Sam James archtester

2020-04-21 07:20:09 UTC

@maintainer(s), please cleanup

Comment 17 Yury German Gentoo Infrastructure

2020-04-26 01:59:47 UTC

GLSA Vote: No

Please drop vulnerable versions

Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev

2020-05-11 18:33:26 UTC

Bug 714866 is not blocking cleanup (anymore, fixed since bug 708682). Also, this vulnerability affects pyyaml-5.1+ only. From this bug it's not required to cleanup =3.13.

Comment 19 Sam James archtester

2020-06-20 13:44:47 UTC

Cleanup done: in late March:

https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-python/pyyaml?id=31b2c42941656ef0adef416bc8086c45aa5472ad
https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-python/pyyaml?id=1e95dea43fc4a826ccb0a20e5d4040eae46180f2

Thanks ajak. Closing.