[Pkg-linaro-lava-devel] Bug#988998: lava: autopkgtest needs update for new version of pyyaml

Stefano Rivera stefanor at debian.org
Sun May 23 00:42:55 BST 2021

Hi Paul (2021.05.22_15:22:35_-0400)
> Currently this regression is blocking the migration of pyyaml to testing
> [1]. Of course, pyyaml shouldn't just break your autopkgtest (or even
> worse, your package), but it seems to me that the change in pyyaml was
> intended and your package needs to update to the new situation.

Yeah, intended. The unsafe load functions in pyyaml had some obvious
remote code execution paths blocked, by disabling loading some types of
Python object.

That's a backwards-incompatible change, but made for security reasons.

Back-story in: https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation

The Ubuntu patch is the minimal solution to the problem. Replacing
.load() with .unsafe_load() or Loader=UnsafeLoader.

Ideally, anything that handles untrusted input (not sure if that's an
issue in Lava) should use the safe load functions. But those can't load
all types of object.


Stefano Rivera
  +1 415 683 3272

More information about the Pkg-linaro-lava-devel mailing list