Your message dated Mon, 24 May 2021 21:29:26 +0200 with message-id <2531e919-af3e-ebb9-2d1f-961eda21f59d@debian.org> and subject line Re: Bug#988926: unblock: pyyaml/5.3.1-4 has caused the Debian Bug report #988926, regarding unblock: pyyaml/5.3.1-4 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 988926: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988926 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: pyyaml/5.3.1-4
- From: Stefano Rivera <stefanor@debian.org>
- Date: Fri, 21 May 2021 12:07:51 -0400
- Message-id: <[🔎] 20210521160751.dzofjhz4mh2kwnun@haydn.kardiogramm.net>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-Cc: Scott Kitterman <scott@kitterman.com>, Michael Hudson-Doyle <mwhudson@debian.org> Please unblock package pyyaml pyyaml (5.3.1-4) unstable; urgency=medium * Team upload. [ Debian Janitor ] * Apply multi-arch hints. + python3-yaml-dbg: Add Multi-Arch: same. [ Stefano Rivera ] * Resolve CVE-2020-14343, more trivial RCEs in .load() and FullLoader. (Closes: #966233) -- Stefano Rivera <stefanor@debian.org> Fri, 21 May 2021 11:11:00 -0400 [ Reason ] Fixes a security issue (#966233, CVE-2020-14343). Not expecting it to be 100% secure, that requires more significant API changes, but at least it's a bit better. https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation [ Impact ] Known RCE risk in a parsing library. [ Tests ] Manually tested that the example exploits are mitigated. [ Risks ] Haven't checked reverse-dependencies (there are a lot of them) for breakage. Ubuntu has carried this patch for a month, with no known issues. I saw one issue mentioned on github, but that doesn't trigger an FTBFS for us (no build-dep on pyyaml): https://github.com/networkx/networkx/issues/4569 [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock pyyaml/5.3.1-4diff -Nru pyyaml-5.3.1/debian/changelog pyyaml-5.3.1/debian/changelog --- pyyaml-5.3.1/debian/changelog 2020-10-22 19:33:33.000000000 -0400 +++ pyyaml-5.3.1/debian/changelog 2021-05-21 11:11:00.000000000 -0400 @@ -1,3 +1,17 @@ +pyyaml (5.3.1-4) unstable; urgency=medium + + * Team upload. + + [ Debian Janitor ] + * Apply multi-arch hints. + + python3-yaml-dbg: Add Multi-Arch: same. + + [ Stefano Rivera ] + * Resolve CVE-2020-14343, more trivial RCEs in .load() and FullLoader. + (Closes: #966233) + + -- Stefano Rivera <stefanor@debian.org> Fri, 21 May 2021 11:11:00 -0400 + pyyaml (5.3.1-3) unstable; urgency=medium [ Ondřej Nový ] diff -Nru pyyaml-5.3.1/debian/control pyyaml-5.3.1/debian/control --- pyyaml-5.3.1/debian/control 2020-10-22 19:33:33.000000000 -0400 +++ pyyaml-5.3.1/debian/control 2021-05-21 11:11:00.000000000 -0400 @@ -25,6 +25,7 @@ Section: debug Architecture: any Depends: python3-yaml (= ${binary:Version}), python3-dbg, ${shlibs:Depends}, ${misc:Depends} +Multi-Arch: same Description: YAML parser and emitter for Python3 (debug build) Python3-yaml is a complete YAML 1.1 parser and emitter for Python3. It can parse all examples from the specification. The parsing algorithm is simple diff -Nru pyyaml-5.3.1/debian/patches/cve-2020-14343.patch pyyaml-5.3.1/debian/patches/cve-2020-14343.patch --- pyyaml-5.3.1/debian/patches/cve-2020-14343.patch 1969-12-31 20:00:00.000000000 -0400 +++ pyyaml-5.3.1/debian/patches/cve-2020-14343.patch 2021-05-21 11:11:00.000000000 -0400 @@ -0,0 +1,127 @@ +From: =?utf-8?q?Ingy_d=C3=B6t_Net?= <ingy@ingy.net> +Date: Sat, 9 Jan 2021 10:53:23 -0500 +Subject: Fix for CVE-2020-14343 + +Per suggestion https://github.com/yaml/pyyaml/issues/420#issuecomment-663888344 +move a few constructors from full_load to unsafe_load. + +Bug-Debian: https://bugs.debian.org/966233 +Bug-Upstream: https://github.com/yaml/pyyaml/issues/420 +Origin: upstream, https://github.com/yaml/pyyaml/commit/a001f2782501ad2d24986959f0239a354675f9dc +--- + lib/yaml/constructor.py | 24 ++++++++++++------------ + lib3/yaml/constructor.py | 24 ++++++++++++------------ + tests/lib/test_recursive.py | 2 +- + tests/lib3/test_recursive.py | 2 +- + 4 files changed, 26 insertions(+), 26 deletions(-) + +diff --git a/lib/yaml/constructor.py b/lib/yaml/constructor.py +index 794681c..c42ee34 100644 +--- a/lib/yaml/constructor.py ++++ b/lib/yaml/constructor.py +@@ -722,18 +722,6 @@ FullConstructor.add_multi_constructor( + u'tag:yaml.org,2002:python/name:', + FullConstructor.construct_python_name) + +-FullConstructor.add_multi_constructor( +- u'tag:yaml.org,2002:python/module:', +- FullConstructor.construct_python_module) +- +-FullConstructor.add_multi_constructor( +- u'tag:yaml.org,2002:python/object:', +- FullConstructor.construct_python_object) +- +-FullConstructor.add_multi_constructor( +- u'tag:yaml.org,2002:python/object/new:', +- FullConstructor.construct_python_object_new) +- + class UnsafeConstructor(FullConstructor): + + def find_python_module(self, name, mark): +@@ -750,6 +738,18 @@ class UnsafeConstructor(FullConstructor): + return super(UnsafeConstructor, self).set_python_instance_state( + instance, state, unsafe=True) + ++UnsafeConstructor.add_multi_constructor( ++ u'tag:yaml.org,2002:python/module:', ++ UnsafeConstructor.construct_python_module) ++ ++UnsafeConstructor.add_multi_constructor( ++ u'tag:yaml.org,2002:python/object:', ++ UnsafeConstructor.construct_python_object) ++ ++UnsafeConstructor.add_multi_constructor( ++ u'tag:yaml.org,2002:python/object/new:', ++ UnsafeConstructor.construct_python_object_new) ++ + UnsafeConstructor.add_multi_constructor( + u'tag:yaml.org,2002:python/object/apply:', + UnsafeConstructor.construct_python_object_apply) +diff --git a/lib3/yaml/constructor.py b/lib3/yaml/constructor.py +index 1948b12..619acd3 100644 +--- a/lib3/yaml/constructor.py ++++ b/lib3/yaml/constructor.py +@@ -710,18 +710,6 @@ FullConstructor.add_multi_constructor( + 'tag:yaml.org,2002:python/name:', + FullConstructor.construct_python_name) + +-FullConstructor.add_multi_constructor( +- 'tag:yaml.org,2002:python/module:', +- FullConstructor.construct_python_module) +- +-FullConstructor.add_multi_constructor( +- 'tag:yaml.org,2002:python/object:', +- FullConstructor.construct_python_object) +- +-FullConstructor.add_multi_constructor( +- 'tag:yaml.org,2002:python/object/new:', +- FullConstructor.construct_python_object_new) +- + class UnsafeConstructor(FullConstructor): + + def find_python_module(self, name, mark): +@@ -738,6 +726,18 @@ class UnsafeConstructor(FullConstructor): + return super(UnsafeConstructor, self).set_python_instance_state( + instance, state, unsafe=True) + ++UnsafeConstructor.add_multi_constructor( ++ 'tag:yaml.org,2002:python/module:', ++ UnsafeConstructor.construct_python_module) ++ ++UnsafeConstructor.add_multi_constructor( ++ 'tag:yaml.org,2002:python/object:', ++ UnsafeConstructor.construct_python_object) ++ ++UnsafeConstructor.add_multi_constructor( ++ 'tag:yaml.org,2002:python/object/new:', ++ UnsafeConstructor.construct_python_object_new) ++ + UnsafeConstructor.add_multi_constructor( + 'tag:yaml.org,2002:python/object/apply:', + UnsafeConstructor.construct_python_object_apply) +diff --git a/tests/lib/test_recursive.py b/tests/lib/test_recursive.py +index 312204e..04c5798 100644 +--- a/tests/lib/test_recursive.py ++++ b/tests/lib/test_recursive.py +@@ -30,7 +30,7 @@ def test_recursive(recursive_filename, verbose=False): + output2 = None + try: + output1 = yaml.dump(value1) +- value2 = yaml.load(output1, yaml.FullLoader) ++ value2 = yaml.load(output1, yaml.UnsafeLoader) + output2 = yaml.dump(value2) + assert output1 == output2, (output1, output2) + finally: +diff --git a/tests/lib3/test_recursive.py b/tests/lib3/test_recursive.py +index 74c2ee6..08042c8 100644 +--- a/tests/lib3/test_recursive.py ++++ b/tests/lib3/test_recursive.py +@@ -31,7 +31,7 @@ def test_recursive(recursive_filename, verbose=False): + output2 = None + try: + output1 = yaml.dump(value1) +- value2 = yaml.full_load(output1) ++ value2 = yaml.unsafe_load(output1) + output2 = yaml.dump(value2) + assert output1 == output2, (output1, output2) + finally: diff -Nru pyyaml-5.3.1/debian/patches/series pyyaml-5.3.1/debian/patches/series --- pyyaml-5.3.1/debian/patches/series 2020-10-22 19:15:26.000000000 -0400 +++ pyyaml-5.3.1/debian/patches/series 2021-05-21 11:11:00.000000000 -0400 @@ -1 +1,2 @@ fatal_test_failures.patch +cve-2020-14343.patch
--- End Message ---
--- Begin Message ---
- To: Stefano Rivera <stefanor@debian.org>, 988926-done@bugs.debian.org
- Subject: Re: Bug#988926: unblock: pyyaml/5.3.1-4
- From: Paul Gevers <elbrus@debian.org>
- Date: Mon, 24 May 2021 21:29:26 +0200
- Message-id: <2531e919-af3e-ebb9-2d1f-961eda21f59d@debian.org>
- In-reply-to: <[🔎] 0cfd6a29-c893-0113-79ae-ad0fe3ed5b48@debian.org>
- References: <[🔎] 20210521160751.dzofjhz4mh2kwnun@haydn.kardiogramm.net> <[🔎] 20210521160751.dzofjhz4mh2kwnun@haydn.kardiogramm.net> <[🔎] 0cfd6a29-c893-0113-79ae-ad0fe3ed5b48@debian.org>
Control: tags -1 - moreinfo Hi Stefano, On 22-05-2021 20:29, Paul Gevers wrote: > As mentioned on IRC (#d-devel), this seems to cause failure of the lava > autopkgtest. Did pyyaml also break lava itself? Lava got fixed in unstable and I expect it to migrate (will keep an eye). Unblocked. Paul PS: I just send the same reply to the lava but; that was a mistake.Attachment: OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---