Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 766228 (CVE-2020-14343) - <dev-python/pyyaml-5.4: Deserialization vulnerability (CVE-2020-14343)
Summary: <dev-python/pyyaml-5.4: Deserialization vulnerability (CVE-2020-14343)
Status: RESOLVED FIXED
Alias: CVE-2020-14343
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-20 01:31 UTC by Sam James
Modified: 2024-02-26 15:46 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-20 01:31:49 UTC
"A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747."
Comment 1 Larry the Git Cow gentoo-dev 2021-01-20 01:35:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e095455ebcf69605fe4f34332176da8198e7e333

commit e095455ebcf69605fe4f34332176da8198e7e333
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-01-20 01:35:12 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-20 01:35:12 +0000

    dev-python/pyyaml: security bump to 5.4
    
    Bug: https://bugs.gentoo.org/766228
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-python/pyyaml/Manifest          |  1 +
 dev-python/pyyaml/pyyaml-5.4.ebuild | 49 +++++++++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2021-01-20 23:02:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fa1134a0a3e13f71d47fe7d3b84590e96eb1be16

commit fa1134a0a3e13f71d47fe7d3b84590e96eb1be16
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-01-20 23:01:57 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-20 23:02:03 +0000

    dev-python/pyyaml: bump to 5.4.1
    
    Bug: https://bugs.gentoo.org/766228
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-python/pyyaml/Manifest                                   | 2 +-
 dev-python/pyyaml/{pyyaml-5.4.ebuild => pyyaml-5.4.1.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 3 Agostino Sarubbo gentoo-dev 2021-01-22 16:55:00 UTC
amd64 stable
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-22 22:29:17 UTC
sparc done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-24 04:33:08 UTC
s390 done
Comment 6 Agostino Sarubbo gentoo-dev 2021-01-24 12:12:15 UTC
x86 stable
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-24 13:33:36 UTC
ppc64 done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-24 20:07:02 UTC
ppc done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-24 20:07:20 UTC
arm done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-24 21:52:10 UTC
arm64 done
Comment 11 Rolf Eike Beer archtester 2021-02-08 09:16:22 UTC
hppa already stable
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-08 14:04:19 UTC
Please cleanup
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-11 02:53:01 UTC
Ping
Comment 14 NATTkA bot gentoo-dev 2021-07-29 17:24:23 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2021-07-29 17:32:53 UTC Comment hidden (obsolete)
Comment 16 NATTkA bot gentoo-dev 2021-07-29 17:40:45 UTC Comment hidden (obsolete)
Comment 17 NATTkA bot gentoo-dev 2021-07-29 17:48:55 UTC Comment hidden (obsolete)
Comment 18 NATTkA bot gentoo-dev 2021-07-29 18:04:51 UTC Comment hidden (obsolete)
Comment 19 NATTkA bot gentoo-dev 2021-07-29 18:13:08 UTC
Package list is empty or all packages have requested keywords.
Comment 20 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-06-12 05:33:03 UTC
Can we close this now?
Comment 21 Larry the Git Cow gentoo-dev 2024-02-26 15:45:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=e549b151411e283e5129e0b82b21b1fc7c93bcd7

commit e549b151411e283e5129e0b82b21b1fc7c93bcd7
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-02-26 15:44:41 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-02-26 15:45:06 +0000

    [ GLSA 202402-33 ] PyYAML: Arbitrary Code Execution
    
    Bug: https://bugs.gentoo.org/766228
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202402-33.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)