[Pkg-linaro-lava-devel] Bug#988998: lava: autopkgtest needs update for new version of pyyaml
Stefano Rivera
stefanor at debian.org
Sun May 23 00:42:55 BST 2021
Hi Paul (2021.05.22_15:22:35_-0400)
> Currently this regression is blocking the migration of pyyaml to testing
> [1]. Of course, pyyaml shouldn't just break your autopkgtest (or even
> worse, your package), but it seems to me that the change in pyyaml was
> intended and your package needs to update to the new situation.
Yeah, intended. The unsafe load functions in pyyaml had some obvious
remote code execution paths blocked, by disabling loading some types of
Python object.
That's a backwards-incompatible change, but made for security reasons.
Back-story in: https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
The Ubuntu patch is the minimal solution to the problem. Replacing
.load() with .unsafe_load() or Loader=UnsafeLoader.
Ideally, anything that handles untrusted input (not sure if that's an
issue in Lava) should use the safe load functions. But those can't load
all types of object.
SR
--
Stefano Rivera
http://tumbleweed.org.za/
+1 415 683 3272
More information about the Pkg-linaro-lava-devel
mailing list