Bug 1860466 (CVE-2020-14343) - CVE-2020-14343 PyYAML: incomplete fix for CVE-2020-1747
Summary: CVE-2020-14343 PyYAML: incomplete fix for CVE-2020-1747
Keywords:
Status: NEW
Alias: CVE-2020-14343
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1860468 1861784 1941794 1943254 1860469 1860470 1861785 1910657
Blocks: 1860471
TreeView+ depends on / blocked
 
Reported: 2020-07-24 17:18 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-03-26 13:35 UTC (History)
25 users (show)

Fixed In Version: PyYAML 5.4
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
Clone Of:
Environment:
Last Closed: 2021-01-15 14:14:07 UTC


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-07-24 17:18:31 UTC
The fix made in PyYAML for CVE-2020-1747 was not sufficient to resolve the issue.

Reference:
https://github.com/yaml/pyyaml/issues/420

Comment 1 Guilherme de Almeida Suckevicz 2020-07-24 17:34:13 UTC
Created PyYAML tracking bugs for this issue:

Affects: fedora-all [bug 1860469]


Created python2-pyyaml tracking bugs for this issue:

Affects: epel-all [bug 1860470]


Created python3-PyYAML tracking bugs for this issue:

Affects: epel-all [bug 1860468]

Comment 2 Summer Long 2020-07-27 02:07:52 UTC
OpenStack: set to 'notaffected' because the packaged RHOSP version (PyYAML-3.10-11.el7) doesn't have the FullLoader code (lib/yaml/loader.py and constructor.py).

Comment 6 Riccardo Schirone 2020-07-29 13:34:15 UTC
Mitigation:

Use `yaml.safe_load` or the SafeLoader loader when you parse untrusted input.

Comment 7 Riccardo Schirone 2020-07-29 13:41:22 UTC
FullLoader, which is the class where this vulnerability lies, was introduced in upstream version 5.1.

Comment 8 Riccardo Schirone 2020-07-29 14:24:35 UTC
The fix for CVE-2020-1747 was to implement a blacklist that prevented some properties to be set when deserializing python objects. However, it is still possible to bypass such blacklist by carefully nesting objects.

Comment 12 Borja Tarraso 2020-08-18 06:20:53 UTC
Statement:

Ansible Tower 3.7 uses affected version of PyYAML 3.12 from RHEL, but the use of load() is specified with a SafeLoader when it is called. So Ansible Tower and Ansible Engine are not affected.

Red Hat Quay 3.3 uses the vulnerable load function, but only to parse the Nginx configuration file, which only contains trusted data.

Even though the CVSSv3 for this flaw is 9.8, the Impact has been set to Moderate because PyYAML provides a specific method to deal with untrusted input, which is `yaml.safe_load`. `yaml.safe_load` or the SafeLoader loader should be used whenever the input YAML can be modified by a malicious user.

Comment 13 Riccardo Schirone 2020-09-24 08:09:34 UTC
Upstream opinion on the topic: https://github.com/yaml/pyyaml/issues/420#issuecomment-696752389 .

Comment 15 John Eckersberg 2021-01-15 14:15:07 UTC
Oops sorry closed the wrong bug.

Currently getting fixed in Fedora here - https://bugzilla.redhat.com/show_bug.cgi?id=1916496

Once it goes stable I'll update the fedora CVE bug.

Comment 16 Sam Fowler 2021-01-20 01:14:25 UTC
Upstream fix:

https://github.com/yaml/pyyaml/pull/472


Note You need to log in before you can comment on or make changes to this bug.