Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 714182 (CVE-2020-1747) - <dev-python/pyyaml-5.3.1: (further) insufficient restrictions on full_load function (CVE-2020-1747)
Summary: <dev-python/pyyaml-5.3.1: (further) insufficient restrictions on full_load fu...
Alias: CVE-2020-1747
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on:
Reported: 2020-03-24 15:00 UTC by Sam James
Modified: 2020-06-20 13:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-03-24 15:00:40 UTC
"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor."

Comment 1 Sam James archtester gentoo-dev Security 2020-03-24 15:02:12 UTC
@maintainer(s), please advise if 5.3.1 is ready for stabilisation, or call yourself.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-03-24 15:32:26 UTC
It's a minor release, so I suppose we can stabilize it earlier.
Comment 3 Sam James archtester gentoo-dev Security 2020-03-24 15:34:43 UTC
(In reply to Michał Górny from comment #2)
> It's a minor release, so I suppose we can stabilize it earlier.

Thanks for the quick response.
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-03-26 14:08:06 UTC
SuperH port disbanded.
Comment 5 Agostino Sarubbo gentoo-dev 2020-03-26 14:12:11 UTC
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-26 14:12:48 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-03-26 14:13:24 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-03-26 14:13:59 UTC
s390 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-03-26 14:14:33 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-03-26 14:15:17 UTC
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-03-27 13:29:19 UTC
amd64 stable
Comment 12 Mart Raudsepp gentoo-dev 2020-03-28 22:48:26 UTC
arm64 stable
Comment 13 Sergei Trofimovich gentoo-dev 2020-03-28 22:51:03 UTC
commit b4d062b92cd0ac405468a7ed8d553dd206c5b4a7
Author: Rolf Eike Beer <>
Date:   Fri Mar 27 08:38:42 2020 +0100

    dev-python/pyyaml: stable 5.3.1 for hppa, bug #714182
Comment 14 Sergei Trofimovich gentoo-dev 2020-03-29 17:26:27 UTC
ia64 stable
Comment 15 Sergei Trofimovich gentoo-dev 2020-04-21 07:15:13 UTC
m68k dropped stable keywords
Comment 16 Sam James archtester gentoo-dev Security 2020-04-21 07:20:09 UTC
@maintainer(s), please cleanup
Comment 17 Yury German Gentoo Infrastructure gentoo-dev Security 2020-04-26 01:59:47 UTC
GLSA Vote: No

Please drop vulnerable versions
Comment 18 Thomas Deutschmann gentoo-dev Security 2020-05-11 18:33:26 UTC
Bug 714866 is not blocking cleanup (anymore, fixed since bug 708682). Also, this vulnerability affects pyyaml-5.1+ only. From this bug it's not required to cleanup =3.13.