Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1595743 - (CVE-2017-18342) CVE-2017-18342 PyYAML: yaml.load() API could execute arbitrary code
CVE-2017-18342 PyYAML: yaml.load() API could execute arbitrary code
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20180627,repor...
: Security
Depends On: 1595744 1595746 1595747 1602323 1602324 1595745
Blocks: 1595749
  Show dependency treegraph
 
Reported: 2018-06-27 09:21 EDT by Andrej Nemec
Modified: 2018-10-23 05:47 EDT (History)
36 users (show)

See Also:
Fixed In Version: PyYAML 4.1
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Andrej Nemec 2018-06-27 09:21:09 EDT 
It was found that using yaml.load() API on untrusted input could lead to arbitrary code execution.

References:

http://seclists.org/oss-sec/2018/q2/240
Comment 1 Andrej Nemec 2018-06-27 09:21:58 EDT 
Created PyYAML tracking bugs for this issue:

Affects: fedora-all [bug 1595744]


Created python2-pyyaml tracking bugs for this issue:

Affects: epel-all [bug 1595745]


Created python3-PyYAML tracking bugs for this issue:

Affects: epel-all [bug 1595746]
Comment 3 Andrej Nemec 2018-06-27 09:24:36 EDT 
Pull request:

https://github.com/yaml/pyyaml/pull/74
Comment 4 Petr Viktorin 2018-06-27 09:28:09 EDT 
PyYAML should be updated to >= 4.1, where `yaml.load()` has been changed to call `yaml.safe_load()`.
Comment 5 Jason Tibbitts 2018-06-27 11:53:01 EDT 
Note that the EPEL python2-pyyaml package doesn't contain anything at all.  It just depends on the RHEL python-pyyaml package, and allows packagers to use dependencies on python2-pyyaml on all releases.
Comment 6 Miro Hrončok 2018-06-29 04:45:21 EDT 
Also note that the fact that yaml.load() is not safe has been known for centuries, so please don't rush with this fix:

 * the fix changes API very much (even nonobviously [1])
 * the released version 4.1 was removed from PyPI, causing troubles [2]

[1] https://github.com/yaml/pyyaml/issues/187
[2] https://github.com/yaml/pyyaml/issues/192
Comment 7 Joshua Padman 2018-07-01 20:04:56 EDT 
Changing the severity to Moderate, as previously noted the lack of safety in `yaml.load()` has been known for a considerable time.
Comment 9 Cedric Buissart 2018-07-11 04:48:39 EDT 
Statement:

PyYAML in channels for Red Hat MRG Messaging 2 should no longer be used, as a newer version is now available in Red Hat Enterprise Linux. Newer packages should be consumed from Red Hat Enterprise Linux channels.

This issue affects the versions of the PyYAML package as shipped with Red Hat Satellite 5. However, this flaw is not known to be exploitable under any supported scenario in Satellite 5. A future update may address this issue.
Comment 13 Petr Viktorin 2018-08-27 11:30:33 EDT 
The [upstream documentation] says:

> Warning: It is not safe to call yaml.load with any data received from an untrusted source! yaml.load is as powerful as pickle.load and so may call any Python function. Check the yaml.safe_load function though.


This has been known since around 2013 (see e.g. [0]). However, it's part of a stable API, so it's not easy to change.

The 4.1 release, which fixes this, was recalled by upstream. So, there currently is no upstream fix released for the CVE.


[upstream documentation]: https://pyyaml.org/wiki/PyYAMLDocumentation#loading-yaml
[0]: https://nedbatchelder.com/blog/201302/war_is_peace.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.