--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package ros-actionlib/1.11.15-1
- From: Jochen Sprickerhof <jspricke@debian.org>
- Date: Sat, 22 Aug 2020 11:43:43 +0200
- Message-id: <159808942376.16384.9644463097825248685.reportbug@fenchel>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi release team,
[ Reason ]
The ros-actionlib version in buster is affected affected by
CVE-2020-10289 which was flagged no-dsa by the security team.
[ Impact ]
I assume it's low because the code is only used in two debug tools.
[ Tests ]
None.
[ Risks ]
The fix is trivial (yaml.load -> yaml.safe_load) and the risk is low as
the yaml is generated from a string in the same process. There is no use
of the extended functionality provided by yaml.load in this scripts.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Use yaml.safe_load instead of yaml.load as promoted by upstream:
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
Cheers Jochen
diff --git a/debian/changelog b/debian/changelog
index 4864907..987959b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+ros-actionlib (1.11.15-1+deb10u1) buster; urgency=high
+
+ * Add https://github.com/ros/actionlib/pull/171 (Fix CVE-2020-10289)
+
+ -- Jochen Sprickerhof <jspricke@debian.org> Sat, 22 Aug 2020 10:53:23 +0200
+
ros-actionlib (1.11.15-1) unstable; urgency=medium
* New upstream version 1.11.15
diff --git a/debian/patches/0003-Address-RVD-2401.patch b/debian/patches/0003-Address-RVD-2401.patch
new file mode 100644
index 0000000..efe9455
--- /dev/null
+++ b/debian/patches/0003-Address-RVD-2401.patch
@@ -0,0 +1,44 @@
+From: =?utf-8?q?V=C3=ADctor_Mayoral_Vilches?= <v.mayoralv@gmail.com>
+Date: Thu, 20 Aug 2020 09:41:56 +0200
+Subject: Address RVD#2401
+
+Our team at @AliasRobotics identified and reported in RVD#2401 the use of
+unsafe yaml load (https://github.com/aliasrobotics/RVD/issues/2401).
+
+After triaging the flaw we detected that it was exploitable and could lead to
+local (or remote, based on certain common user interaction) code execution.
+
+Specifically, the flaw itself is caused by an unsafe parsing of YAML values which
+happens whenever an action message is processed to be sent, and allows for the
+creation of Python objects. Through this flaw in ROS, an attacker could build a
+malicious payload and execute arbitrary code in Python. A PoC is available but
+have decided not to disclose it for now and until this is mitigated and debs are
+available.
+
+Peer-researched and coded with @ibaiape.
+---
+ tools/library.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/library.py b/tools/library.py
+index 6d344e2..f97074e 100644
+--- a/tools/library.py
++++ b/tools/library.py
+@@ -96,7 +96,7 @@ def yaml_msg_str(type_, yaml_str, filename=None):
+ if yaml_str.strip() == '':
+ msg_dict = {}
+ else:
+- msg_dict = yaml.load(yaml_str)
++ msg_dict = yaml.safe_load(yaml_str)
+ if not isinstance(msg_dict, dict):
+ if filename:
+ raise ValueError("yaml file [%s] does not contain a dictionary" % filename)
+@@ -130,7 +130,7 @@ def yaml_msgs_str(type_, yaml_str, filename=None):
+ @type filename: str
+ """
+ import yaml
+- yaml_doc = yaml.load(yaml_str)
++ yaml_doc = yaml.safe_load(yaml_str)
+ msgs = []
+ for msg_dict in yaml_doc:
+ if not isinstance(msg_dict, dict):
diff --git a/debian/patches/series b/debian/patches/series
index aed59c0..6f975c6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
0001-Add-Debian-specific-SONAME.patch
0002-Add-shebang.patch
+0003-Address-RVD-2401.patch
--- End Message ---