Bug 1860466 (CVE-2020-14343) - CVE-2020-14343 PyYAML: incomplete fix for CVE-2020-1747
Summary: CVE-2020-14343 PyYAML: incomplete fix for CVE-2020-1747
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-14343
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1860468 1860469 1860470 Red Hat1861784 Red Hat1861785 Red Hat1910657 Red Hat1941794 Red Hat1943254 Red Hat1949044 Red Hat1967303
Blocks: Embargoed1860471
TreeView+ depends on / blocked
 
Reported: 2020-07-24 17:18 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-12-14 18:47 UTC (History)
39 users (show)

Fixed In Version: PyYAML 5.4
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
Clone Of:
Environment:
Last Closed: 2021-06-29 16:40:23 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2583 0 None None None 2021-06-29 16:01:25 UTC
Red Hat Product Errata RHSA-2021:4702 0 None None None 2021-11-16 14:07:51 UTC

Description Guilherme de Almeida Suckevicz 2020-07-24 17:18:31 UTC 
The fix made in PyYAML for CVE-2020-1747 was not sufficient to resolve the issue.

Reference:
https://github.com/yaml/pyyaml/issues/420
Comment 1 Guilherme de Almeida Suckevicz 2020-07-24 17:34:13 UTC 
Created PyYAML tracking bugs for this issue:

Affects: fedora-all [bug 1860469]


Created python2-pyyaml tracking bugs for this issue:

Affects: epel-all [bug 1860470]


Created python3-PyYAML tracking bugs for this issue:

Affects: epel-all [bug 1860468]
Comment 2 Summer Long 2020-07-27 02:07:52 UTC 
OpenStack: set to 'notaffected' because the packaged RHOSP version (PyYAML-3.10-11.el7) doesn't have the FullLoader code (lib/yaml/loader.py and constructor.py).
Comment 6 Riccardo Schirone 2020-07-29 13:34:15 UTC 
Mitigation:

Use `yaml.safe_load` or the SafeLoader loader when you parse untrusted input.
Comment 7 Riccardo Schirone 2020-07-29 13:41:22 UTC 
FullLoader, which is the class where this vulnerability lies, was introduced in upstream version 5.1.
Comment 8 Riccardo Schirone 2020-07-29 14:24:35 UTC 
The fix for CVE-2020-1747 was to implement a blacklist that prevented some properties to be set when deserializing python objects. However, it is still possible to bypass such blacklist by carefully nesting objects.
Comment 13 Riccardo Schirone 2020-09-24 08:09:34 UTC 
Upstream opinion on the topic: https://github.com/yaml/pyyaml/issues/420#issuecomment-696752389 .
Comment 15 John Eckersberg 2021-01-15 14:15:07 UTC 
Oops sorry closed the wrong bug.

Currently getting fixed in Fedora here - https://bugzilla.redhat.com/show_bug.cgi?id=1916496

Once it goes stable I'll update the fedora CVE bug.
Comment 16 Sam Fowler 2021-01-20 01:14:25 UTC 
Upstream fix:

https://github.com/yaml/pyyaml/pull/472
Comment 22 Jason Shepherd 2021-04-16 06:02:54 UTC 
Statement:

Ansible Tower 3.7 uses affected version of PyYAML 3.12 from RHEL, but the use of load() is specified with a SafeLoader when it is called. So Ansible Tower and Ansible Engine are not affected.

Red Hat Quay, from version 3.4 uses the safe_load function which is not affected by this issue. See [1].

Even though the CVSSv3 for this flaw is 9.8, the Impact has been set to Moderate because PyYAML provides a specific method to deal with untrusted input, which is `yaml.safe_load`. `yaml.safe_load` or the SafeLoader loader should be used whenever the input YAML can be modified by a malicious user.

[1] https://github.com/quay/quay/pull/603
Comment 28 errata-xmlrpc 2021-06-29 16:01:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2583 https://access.redhat.com/errata/RHSA-2021:2583
Comment 29 Product Security DevOps Team 2021-06-29 16:40:23 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14343
Comment 30 errata-xmlrpc 2021-11-16 14:07:49 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702
Note You need to log in before you can comment on or make changes to this bug.