Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: Scott Kitterman <sc...@kitterman.com>, Michael Hudson-Doyle <mwhud...@debian.org>
Please unblock package pyyaml pyyaml (5.3.1-4) unstable; urgency=medium * Team upload. [ Debian Janitor ] * Apply multi-arch hints. + python3-yaml-dbg: Add Multi-Arch: same. [ Stefano Rivera ] * Resolve CVE-2020-14343, more trivial RCEs in .load() and FullLoader. (Closes: #966233) -- Stefano Rivera <stefa...@debian.org> Fri, 21 May 2021 11:11:00 -0400 [ Reason ] Fixes a security issue (#966233, CVE-2020-14343). Not expecting it to be 100% secure, that requires more significant API changes, but at least it's a bit better. https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation [ Impact ] Known RCE risk in a parsing library. [ Tests ] Manually tested that the example exploits are mitigated. [ Risks ] Haven't checked reverse-dependencies (there are a lot of them) for breakage. Ubuntu has carried this patch for a month, with no known issues. I saw one issue mentioned on github, but that doesn't trigger an FTBFS for us (no build-dep on pyyaml): https://github.com/networkx/networkx/issues/4569 [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock pyyaml/5.3.1-4
diff -Nru pyyaml-5.3.1/debian/changelog pyyaml-5.3.1/debian/changelog --- pyyaml-5.3.1/debian/changelog 2020-10-22 19:33:33.000000000 -0400 +++ pyyaml-5.3.1/debian/changelog 2021-05-21 11:11:00.000000000 -0400 @@ -1,3 +1,17 @@ +pyyaml (5.3.1-4) unstable; urgency=medium + + * Team upload. + + [ Debian Janitor ] + * Apply multi-arch hints. + + python3-yaml-dbg: Add Multi-Arch: same. + + [ Stefano Rivera ] + * Resolve CVE-2020-14343, more trivial RCEs in .load() and FullLoader. + (Closes: #966233) + + -- Stefano Rivera <stefa...@debian.org> Fri, 21 May 2021 11:11:00 -0400 + pyyaml (5.3.1-3) unstable; urgency=medium [ Ondřej Nový ] diff -Nru pyyaml-5.3.1/debian/control pyyaml-5.3.1/debian/control --- pyyaml-5.3.1/debian/control 2020-10-22 19:33:33.000000000 -0400 +++ pyyaml-5.3.1/debian/control 2021-05-21 11:11:00.000000000 -0400 @@ -25,6 +25,7 @@ Section: debug Architecture: any Depends: python3-yaml (= ${binary:Version}), python3-dbg, ${shlibs:Depends}, ${misc:Depends} +Multi-Arch: same Description: YAML parser and emitter for Python3 (debug build) Python3-yaml is a complete YAML 1.1 parser and emitter for Python3. It can parse all examples from the specification. The parsing algorithm is simple diff -Nru pyyaml-5.3.1/debian/patches/cve-2020-14343.patch pyyaml-5.3.1/debian/patches/cve-2020-14343.patch --- pyyaml-5.3.1/debian/patches/cve-2020-14343.patch 1969-12-31 20:00:00.000000000 -0400 +++ pyyaml-5.3.1/debian/patches/cve-2020-14343.patch 2021-05-21 11:11:00.000000000 -0400 @@ -0,0 +1,127 @@ +From: =?utf-8?q?Ingy_d=C3=B6t_Net?= <i...@ingy.net> +Date: Sat, 9 Jan 2021 10:53:23 -0500 +Subject: Fix for CVE-2020-14343 + +Per suggestion https://github.com/yaml/pyyaml/issues/420#issuecomment-663888344 +move a few constructors from full_load to unsafe_load. + +Bug-Debian: https://bugs.debian.org/966233 +Bug-Upstream: https://github.com/yaml/pyyaml/issues/420 +Origin: upstream, https://github.com/yaml/pyyaml/commit/a001f2782501ad2d24986959f0239a354675f9dc +--- + lib/yaml/constructor.py | 24 ++++++++++++------------ + lib3/yaml/constructor.py | 24 ++++++++++++------------ + tests/lib/test_recursive.py | 2 +- + tests/lib3/test_recursive.py | 2 +- + 4 files changed, 26 insertions(+), 26 deletions(-) + +diff --git a/lib/yaml/constructor.py b/lib/yaml/constructor.py +index 794681c..c42ee34 100644 +--- a/lib/yaml/constructor.py ++++ b/lib/yaml/constructor.py +@@ -722,18 +722,6 @@ FullConstructor.add_multi_constructor( + u'tag:yaml.org,2002:python/name:', + FullConstructor.construct_python_name) + +-FullConstructor.add_multi_constructor( +- u'tag:yaml.org,2002:python/module:', +- FullConstructor.construct_python_module) +- +-FullConstructor.add_multi_constructor( +- u'tag:yaml.org,2002:python/object:', +- FullConstructor.construct_python_object) +- +-FullConstructor.add_multi_constructor( +- u'tag:yaml.org,2002:python/object/new:', +- FullConstructor.construct_python_object_new) +- + class UnsafeConstructor(FullConstructor): + + def find_python_module(self, name, mark): +@@ -750,6 +738,18 @@ class UnsafeConstructor(FullConstructor): + return super(UnsafeConstructor, self).set_python_instance_state( + instance, state, unsafe=True) + ++UnsafeConstructor.add_multi_constructor( ++ u'tag:yaml.org,2002:python/module:', ++ UnsafeConstructor.construct_python_module) ++ ++UnsafeConstructor.add_multi_constructor( ++ u'tag:yaml.org,2002:python/object:', ++ UnsafeConstructor.construct_python_object) ++ ++UnsafeConstructor.add_multi_constructor( ++ u'tag:yaml.org,2002:python/object/new:', ++ UnsafeConstructor.construct_python_object_new) ++ + UnsafeConstructor.add_multi_constructor( + u'tag:yaml.org,2002:python/object/apply:', + UnsafeConstructor.construct_python_object_apply) +diff --git a/lib3/yaml/constructor.py b/lib3/yaml/constructor.py +index 1948b12..619acd3 100644 +--- a/lib3/yaml/constructor.py ++++ b/lib3/yaml/constructor.py +@@ -710,18 +710,6 @@ FullConstructor.add_multi_constructor( + 'tag:yaml.org,2002:python/name:', + FullConstructor.construct_python_name) + +-FullConstructor.add_multi_constructor( +- 'tag:yaml.org,2002:python/module:', +- FullConstructor.construct_python_module) +- +-FullConstructor.add_multi_constructor( +- 'tag:yaml.org,2002:python/object:', +- FullConstructor.construct_python_object) +- +-FullConstructor.add_multi_constructor( +- 'tag:yaml.org,2002:python/object/new:', +- FullConstructor.construct_python_object_new) +- + class UnsafeConstructor(FullConstructor): + + def find_python_module(self, name, mark): +@@ -738,6 +726,18 @@ class UnsafeConstructor(FullConstructor): + return super(UnsafeConstructor, self).set_python_instance_state( + instance, state, unsafe=True) + ++UnsafeConstructor.add_multi_constructor( ++ 'tag:yaml.org,2002:python/module:', ++ UnsafeConstructor.construct_python_module) ++ ++UnsafeConstructor.add_multi_constructor( ++ 'tag:yaml.org,2002:python/object:', ++ UnsafeConstructor.construct_python_object) ++ ++UnsafeConstructor.add_multi_constructor( ++ 'tag:yaml.org,2002:python/object/new:', ++ UnsafeConstructor.construct_python_object_new) ++ + UnsafeConstructor.add_multi_constructor( + 'tag:yaml.org,2002:python/object/apply:', + UnsafeConstructor.construct_python_object_apply) +diff --git a/tests/lib/test_recursive.py b/tests/lib/test_recursive.py +index 312204e..04c5798 100644 +--- a/tests/lib/test_recursive.py ++++ b/tests/lib/test_recursive.py +@@ -30,7 +30,7 @@ def test_recursive(recursive_filename, verbose=False): + output2 = None + try: + output1 = yaml.dump(value1) +- value2 = yaml.load(output1, yaml.FullLoader) ++ value2 = yaml.load(output1, yaml.UnsafeLoader) + output2 = yaml.dump(value2) + assert output1 == output2, (output1, output2) + finally: +diff --git a/tests/lib3/test_recursive.py b/tests/lib3/test_recursive.py +index 74c2ee6..08042c8 100644 +--- a/tests/lib3/test_recursive.py ++++ b/tests/lib3/test_recursive.py +@@ -31,7 +31,7 @@ def test_recursive(recursive_filename, verbose=False): + output2 = None + try: + output1 = yaml.dump(value1) +- value2 = yaml.full_load(output1) ++ value2 = yaml.unsafe_load(output1) + output2 = yaml.dump(value2) + assert output1 == output2, (output1, output2) + finally: diff -Nru pyyaml-5.3.1/debian/patches/series pyyaml-5.3.1/debian/patches/series --- pyyaml-5.3.1/debian/patches/series 2020-10-22 19:15:26.000000000 -0400 +++ pyyaml-5.3.1/debian/patches/series 2021-05-21 11:11:00.000000000 -0400 @@ -1 +1,2 @@ fatal_test_failures.patch +cve-2020-14343.patch