Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 713342 - dev-python/elasticsearch-curator: depends on vulnerable dev-python/pyyaml
Summary: dev-python/elasticsearch-curator: depends on vulnerable dev-python/pyyaml
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Stabilization (show other bugs)
Hardware: All Linux
: Normal blocker (vote)
Assignee: Tomáš Mózes
URL: https://github.com/elastic/curator/is...
Whiteboard:
Keywords: CC-ARCHES
Depends on: 728910
Blocks: CVE-2017-18342 722500
  Show dependency tree
 
Reported: 2020-03-19 06:25 UTC by Michał Górny
Modified: 2020-06-30 06:34 UTC (History)
2 users (show)

See Also:
Package list:
dev-python/elasticsearch-curator-5.8.1-r1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-03-19 06:25:12 UTC
This package is blocking security cleanup of dev-python/pyyaml.
Comment 1 Tomáš Mózes 2020-03-19 12:29:39 UTC
Unfortunately, upstream don't support newer versions as of now.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-04-21 07:21:32 UTC
Could you try patching it?  I think the main problem is replacing load() with safe_load() or the dangerous load variant (sorry, I don't know the name offhand) if you know that the input is secure.
Comment 3 Tomáš Mózes 2020-04-21 11:12:30 UTC
The author was asked multiple times about switching to a newer release, but he stated it's a breaking change and will only happen in the next major version. Haven't tested myself, yet.
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-04-22 05:13:44 UTC
Do you have any ETA on when you'd test?  I'd like to last rite this package otherwise.
Comment 5 Tomáš Mózes 2020-04-23 10:39:00 UTC
(In reply to Michał Górny from comment #4)
> Do you have any ETA on when you'd test?  I'd like to last rite this package
> otherwise.

Pinged the maintainer and just testing with changing yaml.load(), hopefully it will be enough to change.
Comment 6 Larry the Git Cow gentoo-dev 2020-04-23 13:06:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2b177a4996a925bcd6d0eac5347266b6c8626585

commit 2b177a4996a925bcd6d0eac5347266b6c8626585
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2020-04-23 12:12:48 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-04-23 13:05:40 +0000

    dev-python/elasticsearch-curator: enable newer pyyaml
    
    Bug: https://bugs.gentoo.org/713342
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/15482
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 .../elasticsearch-curator-5.8.1-r1.ebuild          | 163 +++++++++++++++++++++
 1 file changed, 163 insertions(+)
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-05-25 12:18:48 UTC
amd64 stable
Comment 8 John Helmert III (ajak) 2020-06-20 02:16:47 UTC
x86?
Comment 9 Agostino Sarubbo gentoo-dev 2020-06-30 06:34:56 UTC
x86 stable. Closing.