Bug 1595743 (CVE-2017-18342)

Summary: CVE-2017-18342 PyYAML: yaml.load() API could execute arbitrary code
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abergmann, apevec, bhu, bkearney, chrisw, eglynn, hhorak, iboverma, jeckersb, jjoyce, jorton, jpadman, jross, jschluet, lhh, lpeer, lsvaty, markmc, mburns, mcressma, meissner, mgarciac, mhroncok, orion, pgrist, pviktori, python-maint, rbryant, sclewis, sisharma, slinaber, srevivo, tdecacqu, TicoTimo, tlestach, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: PyYAML 5.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 09:46:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1595744, 1595745, 1595746, 1595747, 1602323, 1602324, 1692215, 1821777, 1821778    
Bug Blocks: 1595749    

Description Andrej Nemec 2018-06-27 13:21:09 UTC 
It was found that using yaml.load() API on untrusted input could lead to arbitrary code execution.

References:

http://seclists.org/oss-sec/2018/q2/240
Comment 1 Andrej Nemec 2018-06-27 13:21:58 UTC 
Created PyYAML tracking bugs for this issue:

Affects: fedora-all [bug 1595744]


Created python2-pyyaml tracking bugs for this issue:

Affects: epel-all [bug 1595745]


Created python3-PyYAML tracking bugs for this issue:

Affects: epel-all [bug 1595746]
Comment 3 Andrej Nemec 2018-06-27 13:24:36 UTC 
Pull request:

https://github.com/yaml/pyyaml/pull/74
Comment 4 Petr Viktorin (pviktori) 2018-06-27 13:28:09 UTC 
PyYAML should be updated to >= 4.1, where `yaml.load()` has been changed to call `yaml.safe_load()`.
Comment 5 Jason Tibbitts 2018-06-27 15:53:01 UTC 
Note that the EPEL python2-pyyaml package doesn't contain anything at all.  It just depends on the RHEL python-pyyaml package, and allows packagers to use dependencies on python2-pyyaml on all releases.
Comment 6 Miro HronĨok 2018-06-29 08:45:21 UTC 
Also note that the fact that yaml.load() is not safe has been known for centuries, so please don't rush with this fix:

 * the fix changes API very much (even nonobviously [1])
 * the released version 4.1 was removed from PyPI, causing troubles [2]

[1] https://github.com/yaml/pyyaml/issues/187
[2] https://github.com/yaml/pyyaml/issues/192
Comment 7 Joshua Padman 2018-07-02 00:04:56 UTC 
Changing the severity to Moderate, as previously noted the lack of safety in `yaml.load()` has been known for a considerable time.
Comment 13 Petr Viktorin (pviktori) 2018-08-27 15:30:33 UTC 
The [upstream documentation] says:

> Warning: It is not safe to call yaml.load with any data received from an untrusted source! yaml.load is as powerful as pickle.load and so may call any Python function. Check the yaml.safe_load function though.


This has been known since around 2013 (see e.g. [0]). However, it's part of a stable API, so it's not easy to change.

The 4.1 release, which fixes this, was recalled by upstream. So, there currently is no upstream fix released for the CVE.


[upstream documentation]: https://pyyaml.org/wiki/PyYAMLDocumentation#loading-yaml
[0]: https://nedbatchelder.com/blog/201302/war_is_peace.html
Comment 14 John Eckersberg 2019-03-13 19:13:54 UTC 
5.1 GA released today finally fixes this - https://mail.python.org/pipermail/python-list/2019-March/739937.html
Comment 15 John Eckersberg 2019-03-13 19:52:44 UTC 
(In reply to John Eckersberg from comment #14)
> 5.1 GA released today finally fixes this -
> https://mail.python.org/pipermail/python-list/2019-March/739937.html

I should clarify this a bit.  The "fix" is to deprecate using yaml.load without explicitly specifying the Loader parameter.  Using it without specifying Loader will now print a deprecation warning, but ultimately the code will still function the same as it always has.

For all the details, see https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
Comment 16 Joshua Padman 2019-03-25 03:02:36 UTC 
PyYAML is used in Red Hat OpenStack, however, there are no circumstances where this vulnerability is exposed or would be readily exploitable. It has been known for a considerable amount of time that yaml.load() is unsafe and was included in the Bandit test suite over 3 years ago. Bandit was an OpenStack tool created to find common security issues in python code. This has allowed them to be mindful of these types of vulnerabilities and avoid them.

Red Hat OpenStack included the library in it's own repository for the benefit of the OpenStack client tools. The package provided is currently the same version as provided by RHEL 7. OpenStack installations will consume fixes from the enabled RHEL repositories.
Comment 18 Joshua Padman 2019-03-25 03:33:01 UTC 
Statement:

PyYAML in channels for Red Hat MRG Messaging 2 should no longer be used, as a newer version is now available in Red Hat Enterprise Linux. Newer packages should be consumed from Red Hat Enterprise Linux channels.

This issue affects the versions of the PyYAML package as shipped with Red Hat Satellite 5. However, this flaw is not known to be exploitable under any supported scenario in Satellite 5. A future update may address this issue.

The PyYAML libary that is provided in the Red Hat OpenStack repositories is vulnerable. However, there are no instances where this library is used in a way which exposes the vulnerability. Any updates will be through the RHEL channels.