Package: release.debian.org Severity: normal Tags: buster User: [email protected] Usertags: pu
Hi release team, [ Reason ] The ros-actionlib version in buster is affected affected by CVE-2020-10289 which was flagged no-dsa by the security team. [ Impact ] I assume it's low because the code is only used in two debug tools. [ Tests ] None. [ Risks ] The fix is trivial (yaml.load -> yaml.safe_load) and the risk is low as the yaml is generated from a string in the same process. There is no use of the extended functionality provided by yaml.load in this scripts. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Use yaml.safe_load instead of yaml.load as promoted by upstream: https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation Cheers Jochen
diff --git a/debian/changelog b/debian/changelog index 4864907..987959b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +ros-actionlib (1.11.15-1+deb10u1) buster; urgency=high + + * Add https://github.com/ros/actionlib/pull/171 (Fix CVE-2020-10289) + + -- Jochen Sprickerhof <[email protected]> Sat, 22 Aug 2020 10:53:23 +0200 + ros-actionlib (1.11.15-1) unstable; urgency=medium * New upstream version 1.11.15 diff --git a/debian/patches/0003-Address-RVD-2401.patch b/debian/patches/0003-Address-RVD-2401.patch new file mode 100644 index 0000000..efe9455 --- /dev/null +++ b/debian/patches/0003-Address-RVD-2401.patch @@ -0,0 +1,44 @@ +From: =?utf-8?q?V=C3=ADctor_Mayoral_Vilches?= <[email protected]> +Date: Thu, 20 Aug 2020 09:41:56 +0200 +Subject: Address RVD#2401 + +Our team at @AliasRobotics identified and reported in RVD#2401 the use of +unsafe yaml load (https://github.com/aliasrobotics/RVD/issues/2401). + +After triaging the flaw we detected that it was exploitable and could lead to +local (or remote, based on certain common user interaction) code execution. + +Specifically, the flaw itself is caused by an unsafe parsing of YAML values which +happens whenever an action message is processed to be sent, and allows for the +creation of Python objects. Through this flaw in ROS, an attacker could build a +malicious payload and execute arbitrary code in Python. A PoC is available but +have decided not to disclose it for now and until this is mitigated and debs are +available. + +Peer-researched and coded with @ibaiape. +--- + tools/library.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/library.py b/tools/library.py +index 6d344e2..f97074e 100644 +--- a/tools/library.py ++++ b/tools/library.py +@@ -96,7 +96,7 @@ def yaml_msg_str(type_, yaml_str, filename=None): + if yaml_str.strip() == '': + msg_dict = {} + else: +- msg_dict = yaml.load(yaml_str) ++ msg_dict = yaml.safe_load(yaml_str) + if not isinstance(msg_dict, dict): + if filename: + raise ValueError("yaml file [%s] does not contain a dictionary" % filename) +@@ -130,7 +130,7 @@ def yaml_msgs_str(type_, yaml_str, filename=None): + @type filename: str + """ + import yaml +- yaml_doc = yaml.load(yaml_str) ++ yaml_doc = yaml.safe_load(yaml_str) + msgs = [] + for msg_dict in yaml_doc: + if not isinstance(msg_dict, dict): diff --git a/debian/patches/series b/debian/patches/series index aed59c0..6f975c6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ 0001-Add-Debian-specific-SONAME.patch 0002-Add-shebang.patch +0003-Address-RVD-2401.patch
