Bug 1709598 (CVE-2019-10135) - CVE-2019-10135 osbs-client: Object injection through insecure use of yaml.load() function
Summary: CVE-2019-10135 osbs-client: Object injection through insecure use of yaml.loa...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2019-10135
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190615,repor...
Depends On: 1722329
Blocks: 1709600
TreeView+ depends on / blocked
 
Reported: 2019-05-13 22:58 UTC by Pedro Sampaio
Modified: 2019-06-26 14:13 UTC (History)
10 users (show)

Fixed In Version: osbs-client 0.56.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the yaml.load() function in the osbs-client prior to version 0.56.1. Insecure use of the yaml.load() function allowed the user to load any suspicious object for code execution via the parsing of malicious YAML files.
Clone Of:
Environment:
Last Closed: 2019-06-25 13:05:05 UTC


Attachments (Terms of Use)

Description Pedro Sampaio 2019-05-13 22:58:49 UTC
A flaw was found in osbs-client. yaml.load() is used for insecure user input instead of yaml.load_safe(). Thus osbs-client allows to load any
suspicious objects given by user.

Comment 3 Sam Fowler 2019-05-14 00:53:39 UTC
Acknowledgments:

Name: Martin Bašti (Red Hat)

Comment 6 Dave Baker 2019-05-14 19:02:35 UTC
Upstream is: https://github.com/projectatomic/osbs-client

Comment 7 Dave Baker 2019-05-14 19:10:52 UTC
epel-6 (osbs-client-0.24-1.el6.src.rpm) and epel-7 (osbs-client-0.32-1.el7.src.rpm) both predate the problematic code, introduced in Jan 2018 with "import yaml"

Comment 8 Sam Fowler 2019-05-15 01:25:08 UTC
yaml.load() first introduced in version 0.46:

https://github.com/projectatomic/osbs-client/commit/2fb16f95208ba02670fd389644b2f94963b18970

Comment 9 Sam Fowler 2019-06-20 05:23:22 UTC
Upstream Fix:

https://github.com/containerbuildsystem/osbs-client/pull/865

Comment 10 Sam Fowler 2019-06-20 05:28:38 UTC
Created osbs-client tracking bugs for this issue:

Affects: fedora-all [bug 1722329]


Note You need to log in before you can comment on or make changes to this bug.