Ben/sysadmins,

git-kpull failed for me on Gentoo, due to an apparently long-open CVE for pyyaml. See https://bugs.gentoo.org/659348 for more information. The suggested fix (in comment 14 of that bug) is "you'll need to patch out those unsafe calls. Look for calls to "yaml.load()" and replace them with calls to "yaml.full_load()" (or "yaml.safe_load()" if you know what you're doing). See upstream issue #265 [https://github.com/yaml/pyyaml/issues/265] for details.

In my case, the single change on line 36 of git-kpull:
-    metadata = yaml.load( metadataFile )
+    metadata = yaml.full_load( metadataFile )

I don't know enough python to know whether yaml.safe-load() would work or not and whether it would be any better or not.

Jack

Reply via email to