On Tue, Mar 03, 2020 at 12:15:09PM -0500, Scott Kitterman wrote: > On Tuesday, March 3, 2020 11:41:26 AM EST Salvatore Bonaccorso wrote: > > OK. If anyone has a reproducer for this, it'd be very helpful to sort it out. > > I think this is like the recent CVE for python-bleach where the affected code > didn't exist in the older releases, but the issue was still demonstrable. I > suspect that pyyaml << 5.1 will still have this problem even with the > SafeLoader, since the FullLoader shares code with the older SafeLoader. > > I can see how to adapt the upstream pull request to the 3.X releases, but I > agree it's not clear what the regression risk would be. I decided to leave > the security tracker alone for now too.
In comparable cases in the past (can't name specific cases, but it has happened multiple times for sure) where divergent interfaces were affected, this typically led to two CVE IDs. I don't think anyone is really up to deal with the beaureaucracy involved, though. As for the regression impact I can't tell. If there's a fix which is agreed to be non-risky and fixes the security issue, we can simply apply it independent of the whole CVE discussion. Cheers, Moritz