Bug 1709598 (CVE-2019-10135)

Summary: CVE-2019-10135 osbs-client: Object injection through insecure use of yaml.load() function
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: admiller, athoscribeiro, clems.verna, extras-orphan, mbasti, security-response-team, slavek.kabrda, ttomecek, twaugh, vrutkovs
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: osbs-client 0.56.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the yaml.load() function in the osbs-client prior to version 0.56.1. Insecure use of the yaml.load() function allowed the user to load any suspicious object for code execution via the parsing of malicious YAML files.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-25 13:05:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1722329    
Bug Blocks: 1709600    

Description Pedro Sampaio 2019-05-13 22:58:49 UTC 
A flaw was found in osbs-client. yaml.load() is used for insecure user input instead of yaml.load_safe(). Thus osbs-client allows to load any
suspicious objects given by user.
Comment 3 Sam Fowler 2019-05-14 00:53:39 UTC 
Acknowledgments:

Name: Martin Bašti (Red Hat)
Comment 6 Dave Baker 2019-05-14 19:02:35 UTC 
Upstream is: https://github.com/projectatomic/osbs-client
Comment 7 Dave Baker 2019-05-14 19:10:52 UTC 
epel-6 (osbs-client-0.24-1.el6.src.rpm) and epel-7 (osbs-client-0.32-1.el7.src.rpm) both predate the problematic code, introduced in Jan 2018 with "import yaml"
Comment 8 Sam Fowler 2019-05-15 01:25:08 UTC 
yaml.load() first introduced in version 0.46:

https://github.com/projectatomic/osbs-client/commit/2fb16f95208ba02670fd389644b2f94963b18970
Comment 9 Sam Fowler 2019-06-20 05:23:22 UTC 
Upstream Fix:

https://github.com/containerbuildsystem/osbs-client/pull/865
Comment 10 Sam Fowler 2019-06-20 05:28:38 UTC 
Created osbs-client tracking bugs for this issue:

Affects: fedora-all [bug 1722329]
Comment 11 Clement Verna 2019-06-25 13:04:45 UTC 
This was patched in https://src.fedoraproject.org/rpms/osbs-client/c/d9795c0c8ea320096aa9a0ac410dc0d165103b0a?branch=f30