Bug 1808088 (CVE-2019-20478)

Summary: CVE-2019-20478 python-ruamel-yaml: code execution through load() method with an untrusted argument
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bmontgom, chkumar, eparis, fabian, hvyas, jburrell, jcantril, jjoyce, jlanford, jschluet, lhh, lpeer, mburns, nstielau, openstack-sig, sclewis, sisharma, slinaber, smilner, sponnaga, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in the ruamel.yaml library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the load() method. Applications that use ruamel.yaml to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/apply constructor.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1808089, 1808090, 1808091, 1808261, 1808262, 1808269, 1808270, 1808272, 1808273, 1808275    
Bug Blocks: 1808092    

Description Guilherme de Almeida Suckevicz 2020-02-27 19:07:08 UTC 
In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases.
Comment 1 Guilherme de Almeida Suckevicz 2020-02-27 19:07:38 UTC 
Created python-ruamel-yaml tracking bugs for this issue:

Affects: epel-all [bug 1808090]
Affects: fedora-all [bug 1808089]
Affects: openstack-rdo [bug 1808091]
Comment 10 Sam Fowler 2020-03-03 08:16:51 UTC 
Mitigation:

Use the 'safe_load' method in place of 'load' if loading untrusted data. Alternatively use:
yaml=YAML(typ='safe') 
yaml.load()

Reference: https://yaml.readthedocs.io/en/latest/basicuse.html
Comment 12 Jason Shepherd 2020-08-17 22:48:32 UTC 
Statement:

While the openshift-logging-curator5-container contains the vulnerable code, and method call, it only uses it to load a configuration file, which can be considered trusted data. Therefore this component of OpenShift Container Platform is not affected.

The python-openshift the dependency of OpenShift Container Platform is only used in a deprecated and unused build script (that is removed in later versions), and does not pose a risk to consumers of this library. Therefore it will not be fixed.