It was found that using yaml.load() API on untrusted input could lead to arbitrary code execution. References: http://seclists.org/oss-sec/2018/q2/240
Created PyYAML tracking bugs for this issue: Affects: fedora-all [bug 1595744] Created python2-pyyaml tracking bugs for this issue: Affects: epel-all [bug 1595745] Created python3-PyYAML tracking bugs for this issue: Affects: epel-all [bug 1595746]
Pull request: https://github.com/yaml/pyyaml/pull/74
PyYAML should be updated to >= 4.1, where `yaml.load()` has been changed to call `yaml.safe_load()`.
Note that the EPEL python2-pyyaml package doesn't contain anything at all. It just depends on the RHEL python-pyyaml package, and allows packagers to use dependencies on python2-pyyaml on all releases.
Also note that the fact that yaml.load() is not safe has been known for centuries, so please don't rush with this fix: * the fix changes API very much (even nonobviously [1]) * the released version 4.1 was removed from PyPI, causing troubles [2] [1] https://github.com/yaml/pyyaml/issues/187 [2] https://github.com/yaml/pyyaml/issues/192
Changing the severity to Moderate, as previously noted the lack of safety in `yaml.load()` has been known for a considerable time.
The [upstream documentation] says: > Warning: It is not safe to call yaml.load with any data received from an untrusted source! yaml.load is as powerful as pickle.load and so may call any Python function. Check the yaml.safe_load function though. This has been known since around 2013 (see e.g. [0]). However, it's part of a stable API, so it's not easy to change. The 4.1 release, which fixes this, was recalled by upstream. So, there currently is no upstream fix released for the CVE. [upstream documentation]: https://pyyaml.org/wiki/PyYAMLDocumentation#loading-yaml [0]: https://nedbatchelder.com/blog/201302/war_is_peace.html
5.1 GA released today finally fixes this - https://mail.python.org/pipermail/python-list/2019-March/739937.html
(In reply to John Eckersberg from comment #14) > 5.1 GA released today finally fixes this - > https://mail.python.org/pipermail/python-list/2019-March/739937.html I should clarify this a bit. The "fix" is to deprecate using yaml.load without explicitly specifying the Loader parameter. Using it without specifying Loader will now print a deprecation warning, but ultimately the code will still function the same as it always has. For all the details, see https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
PyYAML is used in Red Hat OpenStack, however, there are no circumstances where this vulnerability is exposed or would be readily exploitable. It has been known for a considerable amount of time that yaml.load() is unsafe and was included in the Bandit test suite over 3 years ago. Bandit was an OpenStack tool created to find common security issues in python code. This has allowed them to be mindful of these types of vulnerabilities and avoid them. Red Hat OpenStack included the library in it's own repository for the benefit of the OpenStack client tools. The package provided is currently the same version as provided by RHEL 7. OpenStack installations will consume fixes from the enabled RHEL repositories.
Statement: PyYAML in channels for Red Hat MRG Messaging 2 should no longer be used, as a newer version is now available in Red Hat Enterprise Linux. Newer packages should be consumed from Red Hat Enterprise Linux channels. This issue affects the versions of the PyYAML package as shipped with Red Hat Satellite 5. However, this flaw is not known to be exploitable under any supported scenario in Satellite 5. A future update may address this issue. The PyYAML libary that is provided in the Red Hat OpenStack repositories is vulnerable. However, there are no instances where this library is used in a way which exposes the vulnerability. Any updates will be through the RHEL channels.