Bug#988926: unblock: pyyaml/5.3.1-4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: Scott Kitterman <scott@kitterman.com>, Michael Hudson-Doyle <mwhudson@debian.org>
Please unblock package pyyaml
pyyaml (5.3.1-4) unstable; urgency=medium
* Team upload.
[ Debian Janitor ]
* Apply multi-arch hints.
+ python3-yaml-dbg: Add Multi-Arch: same.
[ Stefano Rivera ]
* Resolve CVE-2020-14343, more trivial RCEs in .load() and FullLoader.
(Closes: #966233)
-- Stefano Rivera <stefanor@debian.org> Fri, 21 May 2021 11:11:00 -0400
[ Reason ]
Fixes a security issue (#966233, CVE-2020-14343).
Not expecting it to be 100% secure, that requires more significant API
changes, but at least it's a bit better.
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
[ Impact ]
Known RCE risk in a parsing library.
[ Tests ]
Manually tested that the example exploits are mitigated.
[ Risks ]
Haven't checked reverse-dependencies (there are a lot of them) for
breakage.
Ubuntu has carried this patch for a month, with no known issues.
I saw one issue mentioned on github, but that doesn't trigger an FTBFS
for us (no build-dep on pyyaml): https://github.com/networkx/networkx/issues/4569
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock pyyaml/5.3.1-4
diff -Nru pyyaml-5.3.1/debian/changelog pyyaml-5.3.1/debian/changelog
--- pyyaml-5.3.1/debian/changelog 2020-10-22 19:33:33.000000000 -0400
+++ pyyaml-5.3.1/debian/changelog 2021-05-21 11:11:00.000000000 -0400
@@ -1,3 +1,17 @@
+pyyaml (5.3.1-4) unstable; urgency=medium
+
+ * Team upload.
+
+ [ Debian Janitor ]
+ * Apply multi-arch hints.
+ + python3-yaml-dbg: Add Multi-Arch: same.
+
+ [ Stefano Rivera ]
+ * Resolve CVE-2020-14343, more trivial RCEs in .load() and FullLoader.
+ (Closes: #966233)
+
+ -- Stefano Rivera <stefanor@debian.org> Fri, 21 May 2021 11:11:00 -0400
+
pyyaml (5.3.1-3) unstable; urgency=medium
[ Ondřej Nový ]
diff -Nru pyyaml-5.3.1/debian/control pyyaml-5.3.1/debian/control
--- pyyaml-5.3.1/debian/control 2020-10-22 19:33:33.000000000 -0400
+++ pyyaml-5.3.1/debian/control 2021-05-21 11:11:00.000000000 -0400
@@ -25,6 +25,7 @@
Section: debug
Architecture: any
Depends: python3-yaml (= ${binary:Version}), python3-dbg, ${shlibs:Depends}, ${misc:Depends}
+Multi-Arch: same
Description: YAML parser and emitter for Python3 (debug build)
Python3-yaml is a complete YAML 1.1 parser and emitter for Python3. It can
parse all examples from the specification. The parsing algorithm is simple
diff -Nru pyyaml-5.3.1/debian/patches/cve-2020-14343.patch pyyaml-5.3.1/debian/patches/cve-2020-14343.patch
--- pyyaml-5.3.1/debian/patches/cve-2020-14343.patch 1969-12-31 20:00:00.000000000 -0400
+++ pyyaml-5.3.1/debian/patches/cve-2020-14343.patch 2021-05-21 11:11:00.000000000 -0400
@@ -0,0 +1,127 @@
+From: =?utf-8?q?Ingy_d=C3=B6t_Net?= <ingy@ingy.net>
+Date: Sat, 9 Jan 2021 10:53:23 -0500
+Subject: Fix for CVE-2020-14343
+
+Per suggestion https://github.com/yaml/pyyaml/issues/420#issuecomment-663888344
+move a few constructors from full_load to unsafe_load.
+
+Bug-Debian: https://bugs.debian.org/966233
+Bug-Upstream: https://github.com/yaml/pyyaml/issues/420
+Origin: upstream, https://github.com/yaml/pyyaml/commit/a001f2782501ad2d24986959f0239a354675f9dc
+---
+ lib/yaml/constructor.py | 24 ++++++++++++------------
+ lib3/yaml/constructor.py | 24 ++++++++++++------------
+ tests/lib/test_recursive.py | 2 +-
+ tests/lib3/test_recursive.py | 2 +-
+ 4 files changed, 26 insertions(+), 26 deletions(-)
+
+diff --git a/lib/yaml/constructor.py b/lib/yaml/constructor.py
+index 794681c..c42ee34 100644
+--- a/lib/yaml/constructor.py
++++ b/lib/yaml/constructor.py
+@@ -722,18 +722,6 @@ FullConstructor.add_multi_constructor(
+ u'tag:yaml.org,2002:python/name:',
+ FullConstructor.construct_python_name)
+
+-FullConstructor.add_multi_constructor(
+- u'tag:yaml.org,2002:python/module:',
+- FullConstructor.construct_python_module)
+-
+-FullConstructor.add_multi_constructor(
+- u'tag:yaml.org,2002:python/object:',
+- FullConstructor.construct_python_object)
+-
+-FullConstructor.add_multi_constructor(
+- u'tag:yaml.org,2002:python/object/new:',
+- FullConstructor.construct_python_object_new)
+-
+ class UnsafeConstructor(FullConstructor):
+
+ def find_python_module(self, name, mark):
+@@ -750,6 +738,18 @@ class UnsafeConstructor(FullConstructor):
+ return super(UnsafeConstructor, self).set_python_instance_state(
+ instance, state, unsafe=True)
+
++UnsafeConstructor.add_multi_constructor(
++ u'tag:yaml.org,2002:python/module:',
++ UnsafeConstructor.construct_python_module)
++
++UnsafeConstructor.add_multi_constructor(
++ u'tag:yaml.org,2002:python/object:',
++ UnsafeConstructor.construct_python_object)
++
++UnsafeConstructor.add_multi_constructor(
++ u'tag:yaml.org,2002:python/object/new:',
++ UnsafeConstructor.construct_python_object_new)
++
+ UnsafeConstructor.add_multi_constructor(
+ u'tag:yaml.org,2002:python/object/apply:',
+ UnsafeConstructor.construct_python_object_apply)
+diff --git a/lib3/yaml/constructor.py b/lib3/yaml/constructor.py
+index 1948b12..619acd3 100644
+--- a/lib3/yaml/constructor.py
++++ b/lib3/yaml/constructor.py
+@@ -710,18 +710,6 @@ FullConstructor.add_multi_constructor(
+ 'tag:yaml.org,2002:python/name:',
+ FullConstructor.construct_python_name)
+
+-FullConstructor.add_multi_constructor(
+- 'tag:yaml.org,2002:python/module:',
+- FullConstructor.construct_python_module)
+-
+-FullConstructor.add_multi_constructor(
+- 'tag:yaml.org,2002:python/object:',
+- FullConstructor.construct_python_object)
+-
+-FullConstructor.add_multi_constructor(
+- 'tag:yaml.org,2002:python/object/new:',
+- FullConstructor.construct_python_object_new)
+-
+ class UnsafeConstructor(FullConstructor):
+
+ def find_python_module(self, name, mark):
+@@ -738,6 +726,18 @@ class UnsafeConstructor(FullConstructor):
+ return super(UnsafeConstructor, self).set_python_instance_state(
+ instance, state, unsafe=True)
+
++UnsafeConstructor.add_multi_constructor(
++ 'tag:yaml.org,2002:python/module:',
++ UnsafeConstructor.construct_python_module)
++
++UnsafeConstructor.add_multi_constructor(
++ 'tag:yaml.org,2002:python/object:',
++ UnsafeConstructor.construct_python_object)
++
++UnsafeConstructor.add_multi_constructor(
++ 'tag:yaml.org,2002:python/object/new:',
++ UnsafeConstructor.construct_python_object_new)
++
+ UnsafeConstructor.add_multi_constructor(
+ 'tag:yaml.org,2002:python/object/apply:',
+ UnsafeConstructor.construct_python_object_apply)
+diff --git a/tests/lib/test_recursive.py b/tests/lib/test_recursive.py
+index 312204e..04c5798 100644
+--- a/tests/lib/test_recursive.py
++++ b/tests/lib/test_recursive.py
+@@ -30,7 +30,7 @@ def test_recursive(recursive_filename, verbose=False):
+ output2 = None
+ try:
+ output1 = yaml.dump(value1)
+- value2 = yaml.load(output1, yaml.FullLoader)
++ value2 = yaml.load(output1, yaml.UnsafeLoader)
+ output2 = yaml.dump(value2)
+ assert output1 == output2, (output1, output2)
+ finally:
+diff --git a/tests/lib3/test_recursive.py b/tests/lib3/test_recursive.py
+index 74c2ee6..08042c8 100644
+--- a/tests/lib3/test_recursive.py
++++ b/tests/lib3/test_recursive.py
+@@ -31,7 +31,7 @@ def test_recursive(recursive_filename, verbose=False):
+ output2 = None
+ try:
+ output1 = yaml.dump(value1)
+- value2 = yaml.full_load(output1)
++ value2 = yaml.unsafe_load(output1)
+ output2 = yaml.dump(value2)
+ assert output1 == output2, (output1, output2)
+ finally:
diff -Nru pyyaml-5.3.1/debian/patches/series pyyaml-5.3.1/debian/patches/series
--- pyyaml-5.3.1/debian/patches/series 2020-10-22 19:15:26.000000000 -0400
+++ pyyaml-5.3.1/debian/patches/series 2021-05-21 11:11:00.000000000 -0400
@@ -1 +1,2 @@
fatal_test_failures.patch
+cve-2020-14343.patch
Reply to: