Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 766228 (CVE-2020-14343) - <dev-python/pyyaml-5.4: Deserialization vulnerability (CVE-2020-14343)
Summary: <dev-python/pyyaml-5.4: Deserialization vulnerability (CVE-2020-14343)
Status: IN_PROGRESS
Alias: CVE-2020-14343
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa? cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-20 01:31 UTC by Sam James
Modified: 2021-02-08 14:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-01-20 01:31:49 UTC
"A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747."
Comment 1 Larry the Git Cow gentoo-dev 2021-01-20 01:35:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e095455ebcf69605fe4f34332176da8198e7e333

commit e095455ebcf69605fe4f34332176da8198e7e333
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-01-20 01:35:12 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-20 01:35:12 +0000

    dev-python/pyyaml: security bump to 5.4
    
    Bug: https://bugs.gentoo.org/766228
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-python/pyyaml/Manifest          |  1 +
 dev-python/pyyaml/pyyaml-5.4.ebuild | 49 +++++++++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2021-01-20 23:02:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fa1134a0a3e13f71d47fe7d3b84590e96eb1be16

commit fa1134a0a3e13f71d47fe7d3b84590e96eb1be16
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-01-20 23:01:57 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-20 23:02:03 +0000

    dev-python/pyyaml: bump to 5.4.1
    
    Bug: https://bugs.gentoo.org/766228
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-python/pyyaml/Manifest                                   | 2 +-
 dev-python/pyyaml/{pyyaml-5.4.ebuild => pyyaml-5.4.1.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 3 Agostino Sarubbo gentoo-dev 2021-01-22 16:55:00 UTC
amd64 stable
Comment 4 Sam James archtester gentoo-dev Security 2021-01-22 22:29:17 UTC
sparc done
Comment 5 Sam James archtester gentoo-dev Security 2021-01-24 04:33:08 UTC
s390 done
Comment 6 Agostino Sarubbo gentoo-dev 2021-01-24 12:12:15 UTC
x86 stable
Comment 7 Sam James archtester gentoo-dev Security 2021-01-24 13:33:36 UTC
ppc64 done
Comment 8 Sam James archtester gentoo-dev Security 2021-01-24 20:07:02 UTC
ppc done
Comment 9 Sam James archtester gentoo-dev Security 2021-01-24 20:07:20 UTC
arm done
Comment 10 Sam James archtester gentoo-dev Security 2021-01-24 21:52:10 UTC
arm64 done
Comment 11 Rolf Eike Beer 2021-02-08 09:16:22 UTC
hppa already stable
Comment 12 John Helmert III gentoo-dev Security 2021-02-08 14:04:19 UTC
Please cleanup