Bug#902878: pyyaml: CVE-2017-18342: still not completely fixed
On Thu, 11 Jul 2019 10:16:48 +0300 mer...@debian.org wrote: > Hello, > > According to [1] the unsafe loader yaml.UnsafeLoader is still > vulnerable, and could be used upon request. While strictly speaking the > vulnerability is fixed by using safe reader by default, I assume > complete safety can only be achieved by disabling the yaml.UnsafeLoader. > > Best, > Andrius > > [1] https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation As far as I've checked, all yaml parsers have an unsafe option. It's perfectly appropriate to use on sanitized input. It's up to the calling library to do it correctly. The change requires explicit selection of a loader, so any program using the unsafe loader will be doing it on purpose. If they do it well or poorly is up to the calling program, not pyyaml. The fixed version, 5.1.2-1 is now in sid. I just filed 7 RC bugs for packages I found that had been using the unsafe loader, so I really think this will do it. Scott K
Bug#902878: pyyaml: CVE-2017-18342: still not completely fixed
Hello, According to [1] the unsafe loader yaml.UnsafeLoader is still vulnerable, and could be used upon request. While strictly speaking the vulnerability is fixed by using safe reader by default, I assume complete safety can only be achieved by disabling the yaml.UnsafeLoader. Best, Andrius [1] https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
Bug#902878: pyyaml: CVE-2017-18342
Source: pyyaml Version: 3.12-1 Severity: normal Tags: security upstream Forwarded: https://github.com/yaml/pyyaml/pull/74 Hi, The following vulnerability was published for pyyaml. Please see the notes in the security tracker to see why this got a CVE assigned now. The bug is filled to track the "fixed version" rebased to 4.1 once it gets uploaded to Debian. There is no action to be taken for older releases. CVE-2017-18342[0]: | In PyYAML before 4.1, the yaml.load() API could execute arbitrary code. | In other words, yaml.safe_load is not used. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-18342 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342 Regards, Salvatore
