2253085 – (CVE-2023-49297) CVE-2023-49297 pydrive2: potential arbitrary code execution via unsafe YAML deserilization

Bug 2253085 (CVE-2023-49297) - CVE-2023-49297 pydrive2: potential arbitrary code execution via unsafe YAML deserilization

Summary: CVE-2023-49297 pydrive2: potential arbitrary code execution via unsafe YAML d...

Keywords:
Status:	NEW
Alias:	CVE-2023-49297
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2253086
Blocks:
TreeView+	depends on / blocked

Reported:	2023-12-05 23:05 UTC by Robb Gatica
Modified:	2023-12-05 23:07 UTC (History)
CC List:	0 users
Fixed In Version:	pydrive2 1.16.2
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Robb Gatica 2023-12-05 23:05:45 UTC

PyDrive2 is a wrapper library of google-api-python-client that simplifies many common Google Drive API V2 tasks. Unsafe YAML deserilization will result in arbitrary code execution. A maliciously crafted YAML file can cause arbitrary code execution if PyDrive2 is run in the same directory as it, or if it is loaded in via `LoadSettingsFile`. This is a deserilization attack that will affect any user who initializes GoogleAuth from this package while a malicious yaml file is present in the same directory. This vulnerability does not require the file to be directly loaded through the code, only present. This issue has been addressed in commit `c57355dc` which is included in release version `1.16.2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

https://github.com/iterative/PyDrive2/commit/c57355dc2033ad90b7050d681b2c3ba548ff0004
https://github.com/iterative/PyDrive2/security/advisories/GHSA-v5f6-hjmf-9mc5

Comment 1 Robb Gatica 2023-12-05 23:05:58 UTC

Created PyDrive2 tracking bugs for this issue:

Affects: fedora-all [bug 2253086]

Comment 2 Robb Gatica 2023-12-05 23:07:14 UTC

depcli -a pydrive2
fedora-all/duplicity=new
fedora-all/PyDrive2=new

Note You need to log in before you can comment on or make changes to this bug.