[Python-modules-team] Bug#772815: Bug#772815: pyyaml: CVE-2014-9130

Salvatore Bonaccorso carnil at debian.org
Fri Dec 12 06:33:25 UTC 2014

Hi Scott,

On Thu, Dec 11, 2014 at 07:09:11AM -0500, Scott Kitterman wrote:
> On December 11, 2014 6:37:51 AM EST, Moritz Muehlenhoff <jmm at inutil.org> wrote:
> >Package: pyyaml
> >Severity: grave
> >Tags: security
> >
> >Hi,
> >CVE-2014-9130 from libyaml also affects pyyaml. I'm attaching a short
> >reproducer.
> I'm away from any computer I could test this on today. 
> Is this still a problem with a fixed libyaml?   Our pyyaml is built
> against it and I thought didn't use the internal parser. 

It seems so, and there was some discussion on the oss-security list
(also about if this should get a separate CVE for pyyaml)[0].

 [0] http://www.openwall.com/lists/oss-security/2014/11/28/8

On up-to-date unstable the reproducer gives:

Traceback (most recent call last):
  File "CVE-2014-9130.py", line 5, in <module>
    foo = yaml.load(stream)
  File "/usr/lib/python2.7/dist-packages/yaml/__init__.py", line 71, in load
    return loader.get_single_data()
  File "/usr/lib/python2.7/dist-packages/yaml/constructor.py", line 37, in get_single_data
    node = self.get_single_node()
  File "/usr/lib/python2.7/dist-packages/yaml/composer.py", line 36, in get_single_node
    document = self.compose_document()
  File "/usr/lib/python2.7/dist-packages/yaml/composer.py", line 55, in compose_document
    node = self.compose_node(None, None)
  File "/usr/lib/python2.7/dist-packages/yaml/composer.py", line 84, in compose_node
    node = self.compose_mapping_node(anchor)
  File "/usr/lib/python2.7/dist-packages/yaml/composer.py", line 133, in compose_mapping_node
    item_value = self.compose_node(node, item_key)
  File "/usr/lib/python2.7/dist-packages/yaml/composer.py", line 84, in compose_node
    node = self.compose_mapping_node(anchor)
  File "/usr/lib/python2.7/dist-packages/yaml/composer.py", line 127, in compose_mapping_node
    while not self.check_event(MappingEndEvent):
  File "/usr/lib/python2.7/dist-packages/yaml/parser.py", line 98, in check_event
    self.current_event = self.state()
  File "/usr/lib/python2.7/dist-packages/yaml/parser.py", line 428, in parse_block_mapping_key
    if self.check_token(KeyToken):
  File "/usr/lib/python2.7/dist-packages/yaml/scanner.py", line 116, in check_token
  File "/usr/lib/python2.7/dist-packages/yaml/scanner.py", line 252, in fetch_more_tokens
    return self.fetch_plain()
  File "/usr/lib/python2.7/dist-packages/yaml/scanner.py", line 672, in fetch_plain
  File "/usr/lib/python2.7/dist-packages/yaml/scanner.py", line 302, in save_possible_simple_key
    assert self.allow_simple_key or not required


More information about the Python-modules-team mailing list