Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 714182 (CVE-2020-1747) - <dev-python/pyyaml-5.3.1: (further) insufficient restrictions on full_load function (CVE-2020-1747)
Summary: <dev-python/pyyaml-5.3.1: (further) insufficient restrictions on full_load fu...
Status: IN_PROGRESS
Alias: CVE-2020-1747
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/yaml/pyyaml/pull/386
Whiteboard: B3 [noglsa cve cleanup]
Keywords: STABLEREQ
Depends on:
Blocks:
 
Reported: 2020-03-24 15:00 UTC by Sam James (sec padawan)
Modified: 2020-05-11 18:33 UTC (History)
2 users (show)

See Also:
Package list:
dev-python/pyyaml-5.3.1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James (sec padawan) 2020-03-24 15:00:40 UTC
Description:
"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor."

Patch: https://github.com/yaml/pyyaml/commit/5080ba513377b6355a0502104846ee804656f1e0
Comment 1 Sam James (sec padawan) 2020-03-24 15:02:12 UTC
@maintainer(s), please advise if 5.3.1 is ready for stabilisation, or call yourself.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-03-24 15:32:26 UTC
It's a minor release, so I suppose we can stabilize it earlier.
Comment 3 Sam James (sec padawan) 2020-03-24 15:34:43 UTC
(In reply to Michał Górny from comment #2)
> It's a minor release, so I suppose we can stabilize it earlier.

Thanks for the quick response.
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-03-26 14:08:06 UTC
SuperH port disbanded.
Comment 5 Agostino Sarubbo gentoo-dev 2020-03-26 14:12:11 UTC
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-26 14:12:48 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-03-26 14:13:24 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-03-26 14:13:59 UTC
s390 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-03-26 14:14:33 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-03-26 14:15:17 UTC
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-03-27 13:29:19 UTC
amd64 stable
Comment 12 Mart Raudsepp gentoo-dev 2020-03-28 22:48:26 UTC
arm64 stable
Comment 13 Sergei Trofimovich gentoo-dev 2020-03-28 22:51:03 UTC
commit b4d062b92cd0ac405468a7ed8d553dd206c5b4a7
Author: Rolf Eike Beer <eike@sf-mail.de>
Date:   Fri Mar 27 08:38:42 2020 +0100

    dev-python/pyyaml: stable 5.3.1 for hppa, bug #714182
Comment 14 Sergei Trofimovich gentoo-dev 2020-03-29 17:26:27 UTC
ia64 stable
Comment 15 Sergei Trofimovich gentoo-dev 2020-04-21 07:15:13 UTC
m68k dropped stable keywords
Comment 16 Sam James (sec padawan) 2020-04-21 07:20:09 UTC
@maintainer(s), please cleanup
Comment 17 Yury German Gentoo Infrastructure gentoo-dev Security 2020-04-26 01:59:47 UTC
GLSA Vote: No

Please drop vulnerable versions
Comment 18 Thomas Deutschmann gentoo-dev Security 2020-05-11 18:33:26 UTC
Bug 714866 is not blocking cleanup (anymore, fixed since bug 708682). Also, this vulnerability affects pyyaml-5.1+ only. From this bug it's not required to cleanup =3.13.