[Python-modules-team] Bug#772815: Bug#772815: Bug#772815: Bug#772815: pyyaml: CVE-2014-9130

Scott Kitterman debian at kitterman.com
Fri Dec 12 14:02:01 UTC 2014 

On Friday, December 12, 2014 08:17:17 AM Scott Kitterman wrote:
> On Friday, December 12, 2014 07:33:25 AM Salvatore Bonaccorso wrote:
> > Hi Scott,
> > 
> > On Thu, Dec 11, 2014 at 07:09:11AM -0500, Scott Kitterman wrote:
> > > On December 11, 2014 6:37:51 AM EST, Moritz Muehlenhoff <jmm at inutil.org>
> 
> wrote:
> > > >Package: pyyaml
> > > >Severity: grave
> > > >Tags: security
> > > >
> > > >Hi,
> > > >CVE-2014-9130 from libyaml also affects pyyaml. I'm attaching a short
> > > >reproducer.
> > > 
> > > I'm away from any computer I could test this on today.
> > > 
> > > Is this still a problem with a fixed libyaml?   Our pyyaml is built
> > > against it and I thought didn't use the internal parser.
> > 
> > It seems so, and there was some discussion on the oss-security list
> > (also about if this should get a separate CVE for pyyaml)[0].
> > 
> >  [0] http://www.openwall.com/lists/oss-security/2014/11/28/8
> > 
> > On up-to-date unstable the reproducer gives:
> > 
> > Traceback (most recent call last):
> >   File "CVE-2014-9130.py", line 5, in <module>
...
> > 
> > save_possible_simple_key assert self.allow_simple_key or not required
> > AssertionError
> 
> In fact, there's an upstream commit to address it now:
> 
> https://bitbucket.org/xi/pyyaml/commits/ddf211a41bb231c365fece5599b7e484e6dc
> 33fc
> 
> I'm happy to prepare an unstable update.  Do you know if it's decided if
> this gets a separate CVE number or not?
> 
> Scott K

Confirmed that with the upstream fix the assert is resolved and it's a regular 
error now:

Traceback (most recent call last):
  File "CVE-2014-9130.py", line 5, in <module>
    foo = yaml.load(stream)
  File "/usr/lib/python3/dist-packages/yaml/__init__.py", line 72, in load
    return loader.get_single_data()
  File "/usr/lib/python3/dist-packages/yaml/constructor.py", line 35, in 
get_single_data
    node = self.get_single_node()
  File "/usr/lib/python3/dist-packages/yaml/composer.py", line 36, in 
get_single_node
    document = self.compose_document()
  File "/usr/lib/python3/dist-packages/yaml/composer.py", line 55, in 
compose_document
    node = self.compose_node(None, None)
  File "/usr/lib/python3/dist-packages/yaml/composer.py", line 84, in 
compose_node
    node = self.compose_mapping_node(anchor)
  File "/usr/lib/python3/dist-packages/yaml/composer.py", line 133, in 
compose_mapping_node
    item_value = self.compose_node(node, item_key)
  File "/usr/lib/python3/dist-packages/yaml/composer.py", line 84, in 
compose_node
    node = self.compose_mapping_node(anchor)
  File "/usr/lib/python3/dist-packages/yaml/composer.py", line 127, in 
compose_mapping_node
    while not self.check_event(MappingEndEvent):
  File "/usr/lib/python3/dist-packages/yaml/parser.py", line 98, in 
check_event
    self.current_event = self.state()
  File "/usr/lib/python3/dist-packages/yaml/parser.py", line 439, in 
parse_block_mapping_key
    "expected <block end>, but found %r" % token.id, token.start_mark)
yaml.parser.ParserError: while parsing a block mapping
  in "CVE-2014-9130.yaml", line 2, column 4
expected <block end>, but found '<scalar>'
  in "CVE-2014-9130.yaml", line 3, column 4

I'll upload to unstable shortly.  If the CVE number changes, I guess we'll 
clean up the paperwork when/if it does.

Scott K
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20141212/7fe37d3f/attachment.sig>

More information about the Python-modules-team mailing list