[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#988926: unblock: pyyaml/5.3.1-4



Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: Scott Kitterman <scott@kitterman.com>, Michael Hudson-Doyle <mwhudson@debian.org>

Please unblock package pyyaml

pyyaml (5.3.1-4) unstable; urgency=medium

  * Team upload.

  [ Debian Janitor ]
  * Apply multi-arch hints.
    + python3-yaml-dbg: Add Multi-Arch: same.

  [ Stefano Rivera ]
  * Resolve CVE-2020-14343, more trivial RCEs in .load() and FullLoader.
    (Closes: #966233)

 -- Stefano Rivera <stefanor@debian.org>  Fri, 21 May 2021 11:11:00 -0400

[ Reason ]
Fixes a security issue (#966233, CVE-2020-14343).

Not expecting it to be 100% secure, that requires more significant API
changes, but at least it's a bit better.
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation

[ Impact ]
Known RCE risk in a parsing library.

[ Tests ]
Manually tested that the example exploits are mitigated.

[ Risks ]
Haven't checked reverse-dependencies (there are a lot of them) for
breakage.

Ubuntu has carried this patch for a month, with no known issues.

I saw one issue mentioned on github, but that doesn't trigger an FTBFS
for us (no build-dep on pyyaml): https://github.com/networkx/networkx/issues/4569

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock pyyaml/5.3.1-4
diff -Nru pyyaml-5.3.1/debian/changelog pyyaml-5.3.1/debian/changelog
--- pyyaml-5.3.1/debian/changelog	2020-10-22 19:33:33.000000000 -0400
+++ pyyaml-5.3.1/debian/changelog	2021-05-21 11:11:00.000000000 -0400
@@ -1,3 +1,17 @@
+pyyaml (5.3.1-4) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Debian Janitor ]
+  * Apply multi-arch hints.
+    + python3-yaml-dbg: Add Multi-Arch: same.
+
+  [ Stefano Rivera ]
+  * Resolve CVE-2020-14343, more trivial RCEs in .load() and FullLoader.
+    (Closes: #966233)
+
+ -- Stefano Rivera <stefanor@debian.org>  Fri, 21 May 2021 11:11:00 -0400
+
 pyyaml (5.3.1-3) unstable; urgency=medium
 
   [ Ondřej Nový ]
diff -Nru pyyaml-5.3.1/debian/control pyyaml-5.3.1/debian/control
--- pyyaml-5.3.1/debian/control	2020-10-22 19:33:33.000000000 -0400
+++ pyyaml-5.3.1/debian/control	2021-05-21 11:11:00.000000000 -0400
@@ -25,6 +25,7 @@
 Section: debug
 Architecture: any
 Depends: python3-yaml (= ${binary:Version}), python3-dbg, ${shlibs:Depends}, ${misc:Depends}
+Multi-Arch: same
 Description: YAML parser and emitter for Python3 (debug build)
  Python3-yaml is a complete YAML 1.1 parser and emitter for Python3.  It can
  parse all examples from the specification. The parsing algorithm is simple
diff -Nru pyyaml-5.3.1/debian/patches/cve-2020-14343.patch pyyaml-5.3.1/debian/patches/cve-2020-14343.patch
--- pyyaml-5.3.1/debian/patches/cve-2020-14343.patch	1969-12-31 20:00:00.000000000 -0400
+++ pyyaml-5.3.1/debian/patches/cve-2020-14343.patch	2021-05-21 11:11:00.000000000 -0400
@@ -0,0 +1,127 @@
+From: =?utf-8?q?Ingy_d=C3=B6t_Net?= <ingy@ingy.net>
+Date: Sat, 9 Jan 2021 10:53:23 -0500
+Subject: Fix for CVE-2020-14343
+
+Per suggestion https://github.com/yaml/pyyaml/issues/420#issuecomment-663888344
+move a few constructors from full_load to unsafe_load.
+
+Bug-Debian: https://bugs.debian.org/966233
+Bug-Upstream: https://github.com/yaml/pyyaml/issues/420
+Origin: upstream, https://github.com/yaml/pyyaml/commit/a001f2782501ad2d24986959f0239a354675f9dc
+---
+ lib/yaml/constructor.py      | 24 ++++++++++++------------
+ lib3/yaml/constructor.py     | 24 ++++++++++++------------
+ tests/lib/test_recursive.py  |  2 +-
+ tests/lib3/test_recursive.py |  2 +-
+ 4 files changed, 26 insertions(+), 26 deletions(-)
+
+diff --git a/lib/yaml/constructor.py b/lib/yaml/constructor.py
+index 794681c..c42ee34 100644
+--- a/lib/yaml/constructor.py
++++ b/lib/yaml/constructor.py
+@@ -722,18 +722,6 @@ FullConstructor.add_multi_constructor(
+     u'tag:yaml.org,2002:python/name:',
+     FullConstructor.construct_python_name)
+ 
+-FullConstructor.add_multi_constructor(
+-    u'tag:yaml.org,2002:python/module:',
+-    FullConstructor.construct_python_module)
+-
+-FullConstructor.add_multi_constructor(
+-    u'tag:yaml.org,2002:python/object:',
+-    FullConstructor.construct_python_object)
+-
+-FullConstructor.add_multi_constructor(
+-    u'tag:yaml.org,2002:python/object/new:',
+-    FullConstructor.construct_python_object_new)
+-
+ class UnsafeConstructor(FullConstructor):
+ 
+     def find_python_module(self, name, mark):
+@@ -750,6 +738,18 @@ class UnsafeConstructor(FullConstructor):
+         return super(UnsafeConstructor, self).set_python_instance_state(
+             instance, state, unsafe=True)
+ 
++UnsafeConstructor.add_multi_constructor(
++    u'tag:yaml.org,2002:python/module:',
++    UnsafeConstructor.construct_python_module)
++
++UnsafeConstructor.add_multi_constructor(
++    u'tag:yaml.org,2002:python/object:',
++    UnsafeConstructor.construct_python_object)
++
++UnsafeConstructor.add_multi_constructor(
++    u'tag:yaml.org,2002:python/object/new:',
++    UnsafeConstructor.construct_python_object_new)
++
+ UnsafeConstructor.add_multi_constructor(
+     u'tag:yaml.org,2002:python/object/apply:',
+     UnsafeConstructor.construct_python_object_apply)
+diff --git a/lib3/yaml/constructor.py b/lib3/yaml/constructor.py
+index 1948b12..619acd3 100644
+--- a/lib3/yaml/constructor.py
++++ b/lib3/yaml/constructor.py
+@@ -710,18 +710,6 @@ FullConstructor.add_multi_constructor(
+     'tag:yaml.org,2002:python/name:',
+     FullConstructor.construct_python_name)
+ 
+-FullConstructor.add_multi_constructor(
+-    'tag:yaml.org,2002:python/module:',
+-    FullConstructor.construct_python_module)
+-
+-FullConstructor.add_multi_constructor(
+-    'tag:yaml.org,2002:python/object:',
+-    FullConstructor.construct_python_object)
+-
+-FullConstructor.add_multi_constructor(
+-    'tag:yaml.org,2002:python/object/new:',
+-    FullConstructor.construct_python_object_new)
+-
+ class UnsafeConstructor(FullConstructor):
+ 
+     def find_python_module(self, name, mark):
+@@ -738,6 +726,18 @@ class UnsafeConstructor(FullConstructor):
+         return super(UnsafeConstructor, self).set_python_instance_state(
+             instance, state, unsafe=True)
+ 
++UnsafeConstructor.add_multi_constructor(
++    'tag:yaml.org,2002:python/module:',
++    UnsafeConstructor.construct_python_module)
++
++UnsafeConstructor.add_multi_constructor(
++    'tag:yaml.org,2002:python/object:',
++    UnsafeConstructor.construct_python_object)
++
++UnsafeConstructor.add_multi_constructor(
++    'tag:yaml.org,2002:python/object/new:',
++    UnsafeConstructor.construct_python_object_new)
++
+ UnsafeConstructor.add_multi_constructor(
+     'tag:yaml.org,2002:python/object/apply:',
+     UnsafeConstructor.construct_python_object_apply)
+diff --git a/tests/lib/test_recursive.py b/tests/lib/test_recursive.py
+index 312204e..04c5798 100644
+--- a/tests/lib/test_recursive.py
++++ b/tests/lib/test_recursive.py
+@@ -30,7 +30,7 @@ def test_recursive(recursive_filename, verbose=False):
+     output2 = None
+     try:
+         output1 = yaml.dump(value1)
+-        value2 = yaml.load(output1, yaml.FullLoader)
++        value2 = yaml.load(output1, yaml.UnsafeLoader)
+         output2 = yaml.dump(value2)
+         assert output1 == output2, (output1, output2)
+     finally:
+diff --git a/tests/lib3/test_recursive.py b/tests/lib3/test_recursive.py
+index 74c2ee6..08042c8 100644
+--- a/tests/lib3/test_recursive.py
++++ b/tests/lib3/test_recursive.py
+@@ -31,7 +31,7 @@ def test_recursive(recursive_filename, verbose=False):
+     output2 = None
+     try:
+         output1 = yaml.dump(value1)
+-        value2 = yaml.full_load(output1)
++        value2 = yaml.unsafe_load(output1)
+         output2 = yaml.dump(value2)
+         assert output1 == output2, (output1, output2)
+     finally:
diff -Nru pyyaml-5.3.1/debian/patches/series pyyaml-5.3.1/debian/patches/series
--- pyyaml-5.3.1/debian/patches/series	2020-10-22 19:15:26.000000000 -0400
+++ pyyaml-5.3.1/debian/patches/series	2021-05-21 11:11:00.000000000 -0400
@@ -1 +1,2 @@
 fatal_test_failures.patch
+cve-2020-14343.patch

Reply to: