[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#988926: marked as done (unblock: pyyaml/5.3.1-4)

Your message dated Mon, 24 May 2021 21:29:26 +0200
with message-id <2531e919-af3e-ebb9-2d1f-961eda21f59d@debian.org>
and subject line Re: Bug#988926: unblock: pyyaml/5.3.1-4
has caused the Debian Bug report #988926,
regarding unblock: pyyaml/5.3.1-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
988926: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988926
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: Scott Kitterman <scott@kitterman.com>, Michael Hudson-Doyle <mwhudson@debian.org>

Please unblock package pyyaml

pyyaml (5.3.1-4) unstable; urgency=medium

  * Team upload.

  [ Debian Janitor ]
  * Apply multi-arch hints.
    + python3-yaml-dbg: Add Multi-Arch: same.

  [ Stefano Rivera ]
  * Resolve CVE-2020-14343, more trivial RCEs in .load() and FullLoader.
    (Closes: #966233)

 -- Stefano Rivera <stefanor@debian.org>  Fri, 21 May 2021 11:11:00 -0400

[ Reason ]
Fixes a security issue (#966233, CVE-2020-14343).

Not expecting it to be 100% secure, that requires more significant API
changes, but at least it's a bit better.
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation

[ Impact ]
Known RCE risk in a parsing library.

[ Tests ]
Manually tested that the example exploits are mitigated.

[ Risks ]
Haven't checked reverse-dependencies (there are a lot of them) for
breakage.

Ubuntu has carried this patch for a month, with no known issues.

I saw one issue mentioned on github, but that doesn't trigger an FTBFS
for us (no build-dep on pyyaml): https://github.com/networkx/networkx/issues/4569

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock pyyaml/5.3.1-4

diff -Nru pyyaml-5.3.1/debian/changelog pyyaml-5.3.1/debian/changelog
--- pyyaml-5.3.1/debian/changelog	2020-10-22 19:33:33.000000000 -0400
+++ pyyaml-5.3.1/debian/changelog	2021-05-21 11:11:00.000000000 -0400
@@ -1,3 +1,17 @@
+pyyaml (5.3.1-4) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Debian Janitor ]
+  * Apply multi-arch hints.
+    + python3-yaml-dbg: Add Multi-Arch: same.
+
+  [ Stefano Rivera ]
+  * Resolve CVE-2020-14343, more trivial RCEs in .load() and FullLoader.
+    (Closes: #966233)
+
+ -- Stefano Rivera <stefanor@debian.org>  Fri, 21 May 2021 11:11:00 -0400
+
 pyyaml (5.3.1-3) unstable; urgency=medium
 
   [ Ondřej Nový ]
diff -Nru pyyaml-5.3.1/debian/control pyyaml-5.3.1/debian/control
--- pyyaml-5.3.1/debian/control	2020-10-22 19:33:33.000000000 -0400
+++ pyyaml-5.3.1/debian/control	2021-05-21 11:11:00.000000000 -0400
@@ -25,6 +25,7 @@
 Section: debug
 Architecture: any
 Depends: python3-yaml (= ${binary:Version}), python3-dbg, ${shlibs:Depends}, ${misc:Depends}
+Multi-Arch: same
 Description: YAML parser and emitter for Python3 (debug build)
  Python3-yaml is a complete YAML 1.1 parser and emitter for Python3.  It can
  parse all examples from the specification. The parsing algorithm is simple
diff -Nru pyyaml-5.3.1/debian/patches/cve-2020-14343.patch pyyaml-5.3.1/debian/patches/cve-2020-14343.patch
--- pyyaml-5.3.1/debian/patches/cve-2020-14343.patch	1969-12-31 20:00:00.000000000 -0400
+++ pyyaml-5.3.1/debian/patches/cve-2020-14343.patch	2021-05-21 11:11:00.000000000 -0400
@@ -0,0 +1,127 @@
+From: =?utf-8?q?Ingy_d=C3=B6t_Net?= <ingy@ingy.net>
+Date: Sat, 9 Jan 2021 10:53:23 -0500
+Subject: Fix for CVE-2020-14343
+
+Per suggestion https://github.com/yaml/pyyaml/issues/420#issuecomment-663888344
+move a few constructors from full_load to unsafe_load.
+
+Bug-Debian: https://bugs.debian.org/966233
+Bug-Upstream: https://github.com/yaml/pyyaml/issues/420
+Origin: upstream, https://github.com/yaml/pyyaml/commit/a001f2782501ad2d24986959f0239a354675f9dc
+---
+ lib/yaml/constructor.py      | 24 ++++++++++++------------
+ lib3/yaml/constructor.py     | 24 ++++++++++++------------
+ tests/lib/test_recursive.py  |  2 +-
+ tests/lib3/test_recursive.py |  2 +-
+ 4 files changed, 26 insertions(+), 26 deletions(-)
+
+diff --git a/lib/yaml/constructor.py b/lib/yaml/constructor.py
+index 794681c..c42ee34 100644
+--- a/lib/yaml/constructor.py
++++ b/lib/yaml/constructor.py
+@@ -722,18 +722,6 @@ FullConstructor.add_multi_constructor(
+     u'tag:yaml.org,2002:python/name:',
+     FullConstructor.construct_python_name)
+ 
+-FullConstructor.add_multi_constructor(
+-    u'tag:yaml.org,2002:python/module:',
+-    FullConstructor.construct_python_module)
+-
+-FullConstructor.add_multi_constructor(
+-    u'tag:yaml.org,2002:python/object:',
+-    FullConstructor.construct_python_object)
+-
+-FullConstructor.add_multi_constructor(
+-    u'tag:yaml.org,2002:python/object/new:',
+-    FullConstructor.construct_python_object_new)
+-
+ class UnsafeConstructor(FullConstructor):
+ 
+     def find_python_module(self, name, mark):
+@@ -750,6 +738,18 @@ class UnsafeConstructor(FullConstructor):
+         return super(UnsafeConstructor, self).set_python_instance_state(
+             instance, state, unsafe=True)
+ 
++UnsafeConstructor.add_multi_constructor(
++    u'tag:yaml.org,2002:python/module:',
++    UnsafeConstructor.construct_python_module)
++
++UnsafeConstructor.add_multi_constructor(
++    u'tag:yaml.org,2002:python/object:',
++    UnsafeConstructor.construct_python_object)
++
++UnsafeConstructor.add_multi_constructor(
++    u'tag:yaml.org,2002:python/object/new:',
++    UnsafeConstructor.construct_python_object_new)
++
+ UnsafeConstructor.add_multi_constructor(
+     u'tag:yaml.org,2002:python/object/apply:',
+     UnsafeConstructor.construct_python_object_apply)
+diff --git a/lib3/yaml/constructor.py b/lib3/yaml/constructor.py
+index 1948b12..619acd3 100644
+--- a/lib3/yaml/constructor.py
++++ b/lib3/yaml/constructor.py
+@@ -710,18 +710,6 @@ FullConstructor.add_multi_constructor(
+     'tag:yaml.org,2002:python/name:',
+     FullConstructor.construct_python_name)
+ 
+-FullConstructor.add_multi_constructor(
+-    'tag:yaml.org,2002:python/module:',
+-    FullConstructor.construct_python_module)
+-
+-FullConstructor.add_multi_constructor(
+-    'tag:yaml.org,2002:python/object:',
+-    FullConstructor.construct_python_object)
+-
+-FullConstructor.add_multi_constructor(
+-    'tag:yaml.org,2002:python/object/new:',
+-    FullConstructor.construct_python_object_new)
+-
+ class UnsafeConstructor(FullConstructor):
+ 
+     def find_python_module(self, name, mark):
+@@ -738,6 +726,18 @@ class UnsafeConstructor(FullConstructor):
+         return super(UnsafeConstructor, self).set_python_instance_state(
+             instance, state, unsafe=True)
+ 
++UnsafeConstructor.add_multi_constructor(
++    'tag:yaml.org,2002:python/module:',
++    UnsafeConstructor.construct_python_module)
++
++UnsafeConstructor.add_multi_constructor(
++    'tag:yaml.org,2002:python/object:',
++    UnsafeConstructor.construct_python_object)
++
++UnsafeConstructor.add_multi_constructor(
++    'tag:yaml.org,2002:python/object/new:',
++    UnsafeConstructor.construct_python_object_new)
++
+ UnsafeConstructor.add_multi_constructor(
+     'tag:yaml.org,2002:python/object/apply:',
+     UnsafeConstructor.construct_python_object_apply)
+diff --git a/tests/lib/test_recursive.py b/tests/lib/test_recursive.py
+index 312204e..04c5798 100644
+--- a/tests/lib/test_recursive.py
++++ b/tests/lib/test_recursive.py
+@@ -30,7 +30,7 @@ def test_recursive(recursive_filename, verbose=False):
+     output2 = None
+     try:
+         output1 = yaml.dump(value1)
+-        value2 = yaml.load(output1, yaml.FullLoader)
++        value2 = yaml.load(output1, yaml.UnsafeLoader)
+         output2 = yaml.dump(value2)
+         assert output1 == output2, (output1, output2)
+     finally:
+diff --git a/tests/lib3/test_recursive.py b/tests/lib3/test_recursive.py
+index 74c2ee6..08042c8 100644
+--- a/tests/lib3/test_recursive.py
++++ b/tests/lib3/test_recursive.py
+@@ -31,7 +31,7 @@ def test_recursive(recursive_filename, verbose=False):
+     output2 = None
+     try:
+         output1 = yaml.dump(value1)
+-        value2 = yaml.full_load(output1)
++        value2 = yaml.unsafe_load(output1)
+         output2 = yaml.dump(value2)
+         assert output1 == output2, (output1, output2)
+     finally:
diff -Nru pyyaml-5.3.1/debian/patches/series pyyaml-5.3.1/debian/patches/series
--- pyyaml-5.3.1/debian/patches/series	2020-10-22 19:15:26.000000000 -0400
+++ pyyaml-5.3.1/debian/patches/series	2021-05-21 11:11:00.000000000 -0400
@@ -1 +1,2 @@
 fatal_test_failures.patch
+cve-2020-14343.patch

--- End Message ---
--- Begin Message --- 
Control: tags -1 - moreinfo

Hi Stefano,

On 22-05-2021 20:29, Paul Gevers wrote:
> As mentioned on IRC (#d-devel), this seems to cause failure of the lava
> autopkgtest. Did pyyaml also break lava itself?

Lava got fixed in unstable and I expect it to migrate (will keep an eye).

Unblocked.

Paul

PS: I just send the same reply to the lava but; that was a mistake.

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


--- End Message ---
Reply to: