Re: [OE-core] [scarthgap][PATCH 04/12] python3-ply: fix CVE-2025-56005

Wed, 06 May 2026 01:24:12 -0700 


>-----Original Message-----
>From: [email protected]
><[email protected]> On Behalf Of Chen, Libo (CN)
>via lists.openembedded.org
>Sent: Monday, April 27, 2026 2:20 PM
>To: [email protected]; Wang, Jinfeng (CN)
><[email protected]>;
>[email protected]
>Subject: Re: [OE-core] [scarthgap][PATCH 04/12] python3-ply: fix
>CVE-2025-56005
>
>
>
>>-----Original Message-----
>>From: [email protected]
>><[email protected]> On Behalf Of Yoann Congal
>>via lists.openembedded.org
>>Sent: Friday, April 24, 2026 2:45 PM
>>To: Wang, Jinfeng (CN) <[email protected]>;
>>[email protected]
>>Subject: Re: [OE-core] [scarthgap][PATCH 04/12] python3-ply: fix
>>CVE-2025-56005
>>
>>CAUTION: This email comes from a non Wind River email account!
>>Do not click links or open attachments unless you recognize the sender
>>and know the content is safe.
>>
>>On Thu Apr 9, 2026 at 8:16 AM CEST, Jinfeng (CN) via
>>lists.openembedded.org Wang wrote:
>>> From: Libo Chen <[email protected]>
>>>
>>> According to [1], An undocumented and unsafe feature in the PLY
>>> (Python
>>> Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the
>>> `picklefile` parameter in the `yacc()` function. This parameter
>>> accepts a `.pkl` file that is deserialized with `pickle.load()`
>>> without validation. Because `pickle` allows execution of embedded
>>> code via `__reduce__()`, an attacker can achieve code execution by
>>> passing a malicious pickle file. The parameter is not mentioned in
>>> official documentation or the GitHub repository, yet it is active in
>>> the PyPI version. This introduces a stealthy backdoor and persistence risk.
>>>
>>> [1] https://nvd.nist.gov/vuln/detail/CVE-2025-56005
>>>
>>> Signed-off-by: Libo Chen <[email protected]>
>>> Signed-off-by: Jinfeng Wang <[email protected]>
>>> ---
>>>  .../python/python3-ply/CVE-2025-56005.patch   | 125
>>++++++++++++++++++
>>>  .../python/python3-ply_3.11.bb                |   4 +
>>>  2 files changed, 129 insertions(+)
>>>  create mode 100644
>>> meta/recipes-devtools/python/python3-ply/CVE-2025-56005.patch
>>>
>>> diff --git
>>> a/meta/recipes-devtools/python/python3-ply/CVE-2025-56005.patch
>>> b/meta/recipes-devtools/python/python3-ply/CVE-2025-56005.patch
>>> new file mode 100644
>>> index 0000000000..3f1e62b766
>>> --- /dev/null
>>> +++ b/meta/recipes-devtools/python/python3-ply/CVE-2025-56005.patch
>>> @@ -0,0 +1,125 @@
>>> +From bfaebcc33a5af77f2701581638aa31a1bf918302 Mon Sep 17 00:00:00
>>> +2001
>>> +From: Libo Chen <[email protected]>
>>> +Date: Tue, 27 Jan 2026 13:58:57 +0800
>>> +Subject: [PATCH] python3-ply: fix CVE-2025-56005
>>> +
>>> +Deprecate and disable the unsafe picklefile parameter and related
>>> +pickle serialization/deserialization functions to prevent RCE attacks.
>>> +
>>> +The picklefile parameter in yacc() now issues a DeprecationWarning
>>> +and is ignored. The read_pickle() and pickle_table() methods are
>>> +stubbed out to issue warnings and raise NotImplementedError,
>>> +following Python's standard practice for security-deprecated APIs.
>>> +
>>> +CVE: CVE-2025-56005
>>> +
>>> +Upstream-Status: Inactive-Upstream
>>> +
>>> +Signed-off-by: Libo Chen <[email protected]>
>>
>>Hello,
>>
>>The status of this patch is not clear: It is not mentionned in the NVD
>>report you linked.
>
>The upstream https://github.com/dabeaz/ply was archived by the owner on Dec
>22, 2025. It is now read-only. So I could not submit my patch to the upstream
>and only mark it as "Upstream-Status: Inactive-Upstream"
>
>>And there is an argument to reject the CVE:
>>https://github.com/tom025/ply_exploit_rejection/blob/main/README.md
>
>I can reproduce this CVE. Here're my steps:
>

Yoann, do you have additional comment? Thanks.

>1) copy the source code from
>https://github.com/bohmiiidd/Undocumented-RCE-in-PLY/ to a python script
>ply-bug.py
>
>2) set up a uv environment. Here's the configuration:
>[xyz/temp/ply-poc]$ cat /buildarea1/xyz/opt/pyenv/pyproject.toml
>[project]
>name = "pyenv"
>version = "0.1.0"
>description = "Add your description here"
>readme = "README.md"
>requires-python = ">=3.14.2"
>dependencies = [
>    "ply==3.11",
>]
>[xyz/temp/ply-poc]$ lsb_release -a
>No LSB modules are available.
>Distributor ID: Ubuntu
>Description:    Ubuntu 20.04.6 LTS
>Release:        20.04
>Codename:       focal
>
>3) run the python script ply-bug.py
>
>[xyz/temp/ply-poc]$ ls -l /tmp/pwned && cat /tmp/pwned
>ls: cannot access '/tmp/pwned': No such file or directory [xyz/temp/ply-poc]$ 
>uv
>--directory /buildarea1/xyz/opt/pyenv run python
>/buildarea1/xyz/temp/ply-poc/ply-bug.py
>WARNING: yacc table file version is out of date
>WARNING: no p_error() function is defined Traceback (most recent call last):
>  File "/buildarea1/xyz/temp/ply-poc/ply-bug.py", line 35, in <module>
>    parser.parse('example')
>    ~~~~~~~~~~~~^^^^^^^^^^^
>  File
>"/buildarea1/xyz/opt/pyenv/.venv/lib/python3.14/site-packages/ply/yacc.py",
>line 333, in parse
>    return self.parseopt_notrack(input, lexer, debug, tracking, tokenfunc)
>
>~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>  File
>"/buildarea1/xyz/opt/pyenv/.venv/lib/python3.14/site-packages/ply/yacc.py",
>line 1018, in parseopt_notrack
>    lexer = lex.lexer
>            ^^^^^^^^^
>AttributeError: module 'ply.lex' has no attribute 'lexer'. Did you mean: 
>'Lexer'?
>[xyz/temp/ply-poc]$ ls -l /tmp/pwned && cat /tmp/pwned
>-rw-r--r-- 1 xyz users 11 Apr 27 13:46 /tmp/pwned VULNERABLE
>>
>>In doubt (such as this), I'd rather leave the CVE applicable and let
>>downstream users that uses impacted code decide for themselves how they
>>want to handle this CVE.
>>
>>> +---
>>> + ply/yacc.py | 72
>>> ++++++++++++++++++++++--------------------------------
>>> + 1 file changed, 28 insertions(+), 44 deletions(-)
>>> +
>>> +diff --git a/ply/yacc.py b/ply/yacc.py index 88188a1..5103566 100644
>>> +--- a/ply/yacc.py
>>> ++++ b/ply/yacc.py
>>> +@@ -1998,31 +1998,15 @@ class LRTable(object):
>>> +         return parsetab._lr_signature
>>> +
>>> +     def read_pickle(self, filename):
>>> +-        try:
>>> +-            import cPickle as pickle
>>> +-        except ImportError:
>>> +-            import pickle
>>> +-
>>> +-        if not os.path.exists(filename):
>>> +-          raise ImportError
>>> +-
>>> +-        in_f = open(filename, 'rb')
>>> +-
>>> +-        tabversion = pickle.load(in_f)
>>> +-        if tabversion != __tabversion__:
>>> +-            raise VersionError('yacc table file version is out of date')
>>> +-        self.lr_method = pickle.load(in_f)
>>> +-        signature      = pickle.load(in_f)
>>> +-        self.lr_action = pickle.load(in_f)
>>> +-        self.lr_goto   = pickle.load(in_f)
>>> +-        productions    = pickle.load(in_f)
>>> +-
>>> +-        self.lr_productions = []
>>> +-        for p in productions:
>>> +-            self.lr_productions.append(MiniProduction(*p))
>>> +-
>>> +-        in_f.close()
>>> +-        return signature
>>> ++        import warnings
>>> ++        warnings.warn(
>>> ++            "read_pickle() is deprecated and disabled due to
>>> ++ security
>>vulnerability CVE-2025-56005. "
>>> ++            "Pickle deserialization can lead to arbitrary code execution. 
>>> "
>>> ++            "This function is no longer supported.",
>>> ++            DeprecationWarning,
>>> ++            stacklevel=2
>>> ++        )
>>> ++        raise NotImplementedError("read_pickle() is disabled for
>>> ++ security reasons (CVE-2025-56005)")
>>
>>And, also, this is quite a breaking change for a stable user using this 
>>feature.
>>
>>So, I can't accept this one. Sorry.
>>
>>> +
>>> +     # Bind all production function names to callable objects in pdict
>>> +     def bind_callables(self, pdict):
>>> +@@ -2845,27 +2829,19 @@ del _lr_goto_items
>>> +     # pickle_table()
>>> +     #
>>> +     # This function pickles the LR parsing tables to a supplied
>>> +file object
>>> ++    # DEPRECATED: Disabled due to CVE-2025-56005
>>> +     #
>>> + -------------------------------------------------------------------
>>> + -
>>> + ---------
>>> +
>>> +     def pickle_table(self, filename, signature=''):
>>> +-        try:
>>> +-            import cPickle as pickle
>>> +-        except ImportError:
>>> +-            import pickle
>>> +-        with open(filename, 'wb') as outf:
>>> +-            pickle.dump(__tabversion__, outf, pickle_protocol)
>>> +-            pickle.dump(self.lr_method, outf, pickle_protocol)
>>> +-            pickle.dump(signature, outf, pickle_protocol)
>>> +-            pickle.dump(self.lr_action, outf, pickle_protocol)
>>> +-            pickle.dump(self.lr_goto, outf, pickle_protocol)
>>> +-
>>> +-            outp = []
>>> +-            for p in self.lr_productions:
>>> +-                if p.func:
>>> +-                    outp.append((p.str, p.name, p.len, p.func,
>>os.path.basename(p.file), p.line))
>>> +-                else:
>>> +-                    outp.append((str(p), p.name, p.len, None, None,
>>None))
>>> +-            pickle.dump(outp, outf, pickle_protocol)
>>> ++        import warnings
>>> ++        warnings.warn(
>>> ++            "pickle_table() is deprecated and disabled due to
>>> ++ security
>>vulnerability CVE-2025-56005. "
>>> ++            "Pickle serialization can lead to arbitrary code
>>> ++ execution when
>>deserialized. "
>>> ++            "This function is no longer supported.",
>>> ++            DeprecationWarning,
>>> ++            stacklevel=2
>>> ++        )
>>> ++        raise NotImplementedError("pickle_table() is disabled for
>>> ++ security reasons (CVE-2025-56005)")
>>> +
>>> + # 
>>> -----------------------------------------------------------------------------
>>> + #                            === INTROSPECTION ===
>>> +@@ -3225,7 +3201,15 @@ def yacc(method='LALR', debug=yaccdebug,
>>> +module=None, tabmodule=tab_module, star
>>> +
>>> +     # If pickling is enabled, table files are not created
>>> +     if picklefile:
>>> +-        write_tables = 0
>>> ++        import warnings
>>> ++        warnings.warn(
>>> ++            "The 'picklefile' parameter is deprecated and disabled
>>> ++ due to
>>security vulnerability CVE-2025-56005. "
>>> ++            "Pickle deserialization can lead to arbitrary code execution. 
>>> "
>>> ++            "The parameter will be ignored and standard table files
>>> ++ will be
>>used instead.",
>>> ++            DeprecationWarning,
>>> ++            stacklevel=2
>>> ++        )
>>> ++        picklefile = None
>>> +
>>> +     if errorlog is None:
>>> +         errorlog = PlyLogger(sys.stderr)
>>> +--
>>> +2.34.1
>>> +
>>> diff --git a/meta/recipes-devtools/python/python3-ply_3.11.bb
>>> b/meta/recipes-devtools/python/python3-ply_3.11.bb
>>> index a05bd6702d..41bcac2be8 100644
>>> --- a/meta/recipes-devtools/python/python3-ply_3.11.bb
>>> +++ b/meta/recipes-devtools/python/python3-ply_3.11.bb
>>> @@ -8,6 +8,10 @@ LIC_FILES_CHKSUM =
>>> "file://README.md;beginline=5;endline=32;md5=f5ee5c355c0e6719
>>>  SRC_URI[md5sum] = "6465f602e656455affcd7c5734c638f8"
>>>  SRC_URI[sha256sum] =
>>"00c7c1aaa88358b9c765b6d3000c6eec0ba42abca5351b095321aef446081da3
>"
>>>
>>> +SRC_URI += " \
>>> +    file://CVE-2025-56005.patch \
>>> +"
>>> +
>>>  inherit pypi setuptools3
>>>
>>>  RDEPENDS:${PN}:class-target += "\
>>
>>
>>--
>>Yoann Congal
>>Smile ECS


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#236533): 
https://lists.openembedded.org/g/openembedded-core/message/236533
Mute This Topic: https://lists.openembedded.org/mt/118738395/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to