Bug#881306: jessie-pu: package python-tablib/0.9.11-2 CVE-2017-2810

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#881306: jessie-pu: package python-tablib/0.9.11-2 CVE-2017-2810
From: Thomas Goirand <zigo@debian.org>
Date: Fri, 10 Nov 2017 00:02:21 +0100
Message-id: <[🔎] 151026854138.11385.499855964505845668.reportbug@buzig2.mirantis.com>
Reply-to: Thomas Goirand <zigo@debian.org>, 881306@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

After fixing Stretch in release team bug #879702, here's the request
for fixing Jessie, since Salvatore asks for it. Debdiff attached.
Package available from:

http://sid.gplhost.com/jessie-proposed-updates/python-tablib/

Please allow me to upload this update for Jessie.
Cheers,

Thomas Goirand (zigo)

diff -Nru python-tablib-0.9.11/debian/changelog python-tablib-0.9.11/debian/changelog
--- python-tablib-0.9.11/debian/changelog	2013-05-12 14:21:10.000000000 +0200
+++ python-tablib-0.9.11/debian/changelog	2017-10-24 21:15:19.000000000 +0200
@@ -1,3 +1,9 @@
+python-tablib (0.9.11-2+deb8u1) jessie; urgency=low
+
+  * CVE-2017-2810: apply upstream patch: use safe load (Closes: #864818).
+
+ -- Thomas Goirand <zigo@debian.org>  Tue, 24 Oct 2017 21:15:19 +0200
+
 python-tablib (0.9.11-2) unstable; urgency=low
 
   * Uploading to unstable.
diff -Nru python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch
--- python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch	2017-10-24 21:15:19.000000000 +0200
@@ -0,0 +1,17 @@
+Description: use safe load
+Author: Kenneth Reitz <me@kennethreitz.org>
+Origin: https://github.com/kennethreitz/tablib/commit/69abfc3ada5d754cb152119c0b4777043657cb6e
+Bug-Debian: https://bugs.debian.org/864818
+Last-Update: 2017-10-24
+
+--- python-tablib-0.9.11.orig/tablib/formats/_yaml.py
++++ python-tablib-0.9.11/tablib/formats/_yaml.py
+@@ -46,7 +46,7 @@ def import_book(dbook, in_stream):
+ 
+     dbook.wipe()
+ 
+-    for sheet in yaml.load(in_stream):
++    for sheet in yaml.safe_load(in_stream):
+         data = tablib.Dataset()
+         data.title = sheet['title']
+         data.dict = sheet['data']
diff -Nru python-tablib-0.9.11/debian/patches/series python-tablib-0.9.11/debian/patches/series
--- python-tablib-0.9.11/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ python-tablib-0.9.11/debian/patches/series	2017-10-24 21:15:19.000000000 +0200
@@ -0,0 +1 @@
+CVE-2017-2810-use_safe_load.patch

Reply to:

Follow-Ups:
- Bug#881306: jessie-pu: package python-tablib/0.9.11-2 CVE-2017-2810
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#881306: jessie-pu: package python-tablib/0.9.11-2 CVE-2017-2810
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#881306: jessie-pu: package python-tablib/0.9.11-2 CVE-2017-2810
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#881265: nmu: blender_2.79+dfsg0-2
Next by Date: Bug#878685: stretch-pu: package udftools/1.3-2
Previous by thread: Bug#881265: marked as done (nmu: blender_2.79+dfsg0-2)
Next by thread: Bug#881306: jessie-pu: package python-tablib/0.9.11-2 CVE-2017-2810
Index(es):
- Date
- Thread