683814 – media-sound/beets: RuntimeError: Unsafe load() call disabled by Gentoo. See bug #659348

Bug 683814 - media-sound/beets: RuntimeError: Unsafe load() call disabled by Gentoo. See bug #659348

Summary: media-sound/beets: RuntimeError: Unsafe load() call disabled by Gentoo. See b...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Sound Team

URL:	https://github.com/beetbox/beets/issu...
Whiteboard:
Keywords:

Depends on:
Blocks:	unsafe-pyyaml
	Show dependency tree

Reported:	2019-04-19 04:49 UTC by Bernardo Meurer
Modified:	2019-05-19 17:54 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Error log (beets-failure.txt,1.48 KB, text/plain) 2019-04-19 04:54 UTC, Bernardo Meurer	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bernardo Meurer 2019-04-19 04:49:54 UTC

Bug #659348 causes beets to not work _at all_. It needs to be patched in order to work properly on Gentoo now.

Pretty frustrating sudden breakage due to some vulnerability in YAML parsing.

Comment 1 Bernardo Meurer 2019-04-19 04:54:12 UTC

Created attachment 573410 [details]
Error log

Comment 2 Louis Sautier (sbraz) gentoo-dev

2019-04-19 08:36:20 UTC

This was fixed but no new version has been released.
Bernardo, until this is fixed, you can download https://github.com/beetbox/beets/commit/be12a89372b96c1502733a4d1ade45e1deecd5f9.patch into /etc/portage/patches/media-sound/beets-1.4.7/ and re-emerge beets.

Comment 3 Bernardo Meurer 2019-04-19 09:04:01 UTC

Louis' patch from upstream seems to fix it. I've tested it with the following code paths:
`beet upd`
`beet mbsync`
`beet absubmit`

Comment 4 Virgil Dupras (RETIRED) gentoo-dev

2019-05-11 16:54:17 UTC

Is the Sound team active? As you can see in the tracker bug, the immediate fix for this is trivial and there hasn't been any activity related to this bug yet.

This package will end up masked for removal if it doesn't fix its pyyaml usage.

Comment 5 Andreas Sturmlechner gentoo-dev

2019-05-19 15:26:23 UTC

(In reply to Virgil Dupras from comment #4)
> Is the Sound team active?
What sound team?

Comment 6 Larry the Git Cow gentoo-dev

2019-05-19 17:54:47 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=81d59ed7eb5a822322ed388560552aacc1b62ae9

commit 81d59ed7eb5a822322ed388560552aacc1b62ae9
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2019-05-19 15:26:57 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-05-19 16:55:53 +0000

    media-sound/beets: 1.4.8 version bump
    
    Closes: https://bugs.gentoo.org/683814
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-sound/beets/Manifest                         |   1 +
 media-sound/beets/beets-1.4.8.ebuild               | 141 +++++++++++++++++++++
 .../files/beets-1.4.8-imagemagick-detection.patch  |  23 ++++
 3 files changed, 165 insertions(+)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0217f3cbcb93b8d24f0aaa74e5dff5d95cdc5317

commit 0217f3cbcb93b8d24f0aaa74e5dff5d95cdc5317
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2019-05-19 15:28:04 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-05-19 16:55:54 +0000

    media-sound/beets: Drop 1.4.7
    
    Bug: https://bugs.gentoo.org/683814
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-sound/beets/Manifest           |   1 -
 media-sound/beets/beets-1.4.7.ebuild | 137 -----------------------------------
 2 files changed, 138 deletions(-)