Bug 1595743 (CVE-2017-18342) - CVE-2017-18342 PyYAML: yaml.load() API could execute arbitrary code
Summary: CVE-2017-18342 PyYAML: yaml.load() API could execute arbitrary code
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-18342
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1595744 1595745 1595746 1595747 1602323 1602324 1692215 1821777 1821778
Blocks: 1595749
TreeView+ depends on / blocked
 
Reported: 2018-06-27 13:21 UTC by Andrej Nemec
Modified: 2021-12-06 10:01 UTC (History)
32 users (show)

Fixed In Version: PyYAML 5.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-25 09:46:22 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2018-06-27 13:21:09 UTC
It was found that using yaml.load() API on untrusted input could lead to arbitrary code execution.

References:

http://seclists.org/oss-sec/2018/q2/240

Comment 1 Andrej Nemec 2018-06-27 13:21:58 UTC
Created PyYAML tracking bugs for this issue:

Affects: fedora-all [bug 1595744]


Created python2-pyyaml tracking bugs for this issue:

Affects: epel-all [bug 1595745]


Created python3-PyYAML tracking bugs for this issue:

Affects: epel-all [bug 1595746]

Comment 3 Andrej Nemec 2018-06-27 13:24:36 UTC
Pull request:

https://github.com/yaml/pyyaml/pull/74

Comment 4 Petr Viktorin 2018-06-27 13:28:09 UTC
PyYAML should be updated to >= 4.1, where `yaml.load()` has been changed to call `yaml.safe_load()`.

Comment 5 Jason Tibbitts 2018-06-27 15:53:01 UTC
Note that the EPEL python2-pyyaml package doesn't contain anything at all.  It just depends on the RHEL python-pyyaml package, and allows packagers to use dependencies on python2-pyyaml on all releases.

Comment 6 Miro Hrončok 2018-06-29 08:45:21 UTC
Also note that the fact that yaml.load() is not safe has been known for centuries, so please don't rush with this fix:

 * the fix changes API very much (even nonobviously [1])
 * the released version 4.1 was removed from PyPI, causing troubles [2]

[1] https://github.com/yaml/pyyaml/issues/187
[2] https://github.com/yaml/pyyaml/issues/192

Comment 7 Joshua Padman 2018-07-02 00:04:56 UTC
Changing the severity to Moderate, as previously noted the lack of safety in `yaml.load()` has been known for a considerable time.

Comment 13 Petr Viktorin 2018-08-27 15:30:33 UTC
The [upstream documentation] says:

> Warning: It is not safe to call yaml.load with any data received from an untrusted source! yaml.load is as powerful as pickle.load and so may call any Python function. Check the yaml.safe_load function though.


This has been known since around 2013 (see e.g. [0]). However, it's part of a stable API, so it's not easy to change.

The 4.1 release, which fixes this, was recalled by upstream. So, there currently is no upstream fix released for the CVE.


[upstream documentation]: https://pyyaml.org/wiki/PyYAMLDocumentation#loading-yaml
[0]: https://nedbatchelder.com/blog/201302/war_is_peace.html

Comment 14 John Eckersberg 2019-03-13 19:13:54 UTC
5.1 GA released today finally fixes this - https://mail.python.org/pipermail/python-list/2019-March/739937.html

Comment 15 John Eckersberg 2019-03-13 19:52:44 UTC
(In reply to John Eckersberg from comment #14)
> 5.1 GA released today finally fixes this -
> https://mail.python.org/pipermail/python-list/2019-March/739937.html

I should clarify this a bit.  The "fix" is to deprecate using yaml.load without explicitly specifying the Loader parameter.  Using it without specifying Loader will now print a deprecation warning, but ultimately the code will still function the same as it always has.

For all the details, see https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation

Comment 16 Joshua Padman 2019-03-25 03:02:36 UTC
PyYAML is used in Red Hat OpenStack, however, there are no circumstances where this vulnerability is exposed or would be readily exploitable. It has been known for a considerable amount of time that yaml.load() is unsafe and was included in the Bandit test suite over 3 years ago. Bandit was an OpenStack tool created to find common security issues in python code. This has allowed them to be mindful of these types of vulnerabilities and avoid them.

Red Hat OpenStack included the library in it's own repository for the benefit of the OpenStack client tools. The package provided is currently the same version as provided by RHEL 7. OpenStack installations will consume fixes from the enabled RHEL repositories.

Comment 18 Joshua Padman 2019-03-25 03:33:01 UTC
Statement:

PyYAML in channels for Red Hat MRG Messaging 2 should no longer be used, as a newer version is now available in Red Hat Enterprise Linux. Newer packages should be consumed from Red Hat Enterprise Linux channels.

This issue affects the versions of the PyYAML package as shipped with Red Hat Satellite 5. However, this flaw is not known to be exploitable under any supported scenario in Satellite 5. A future update may address this issue.

The PyYAML libary that is provided in the Red Hat OpenStack repositories is vulnerable. However, there are no instances where this library is used in a way which exposes the vulnerability. Any updates will be through the RHEL channels.


Note You need to log in before you can comment on or make changes to this bug.