[Python-modules-team] Bug#772815: Bug#772815: Bug#772815: pyyaml: CVE-2014-9130

Scott Kitterman debian at kitterman.com
Fri Dec 12 13:17:17 UTC 2014 

On Friday, December 12, 2014 07:33:25 AM Salvatore Bonaccorso wrote:
> Hi Scott,
> 
> On Thu, Dec 11, 2014 at 07:09:11AM -0500, Scott Kitterman wrote:
> > On December 11, 2014 6:37:51 AM EST, Moritz Muehlenhoff <jmm at inutil.org> 
wrote:
> > >Package: pyyaml
> > >Severity: grave
> > >Tags: security
> > >
> > >Hi,
> > >CVE-2014-9130 from libyaml also affects pyyaml. I'm attaching a short
> > >reproducer.
> > 
> > I'm away from any computer I could test this on today.
> > 
> > Is this still a problem with a fixed libyaml?   Our pyyaml is built
> > against it and I thought didn't use the internal parser.
> 
> It seems so, and there was some discussion on the oss-security list
> (also about if this should get a separate CVE for pyyaml)[0].
> 
>  [0] http://www.openwall.com/lists/oss-security/2014/11/28/8
> 
> On up-to-date unstable the reproducer gives:
> 
> Traceback (most recent call last):
>   File "CVE-2014-9130.py", line 5, in <module>
>     foo = yaml.load(stream)
>   File "/usr/lib/python2.7/dist-packages/yaml/__init__.py", line 71, in load
> return loader.get_single_data()
>   File "/usr/lib/python2.7/dist-packages/yaml/constructor.py", line 37, in
> get_single_data node = self.get_single_node()
>   File "/usr/lib/python2.7/dist-packages/yaml/composer.py", line 36, in
> get_single_node document = self.compose_document()
>   File "/usr/lib/python2.7/dist-packages/yaml/composer.py", line 55, in
> compose_document node = self.compose_node(None, None)
>   File "/usr/lib/python2.7/dist-packages/yaml/composer.py", line 84, in
> compose_node node = self.compose_mapping_node(anchor)
>   File "/usr/lib/python2.7/dist-packages/yaml/composer.py", line 133, in
> compose_mapping_node item_value = self.compose_node(node, item_key)
>   File "/usr/lib/python2.7/dist-packages/yaml/composer.py", line 84, in
> compose_node node = self.compose_mapping_node(anchor)
>   File "/usr/lib/python2.7/dist-packages/yaml/composer.py", line 127, in
> compose_mapping_node while not self.check_event(MappingEndEvent):
>   File "/usr/lib/python2.7/dist-packages/yaml/parser.py", line 98, in
> check_event self.current_event = self.state()
>   File "/usr/lib/python2.7/dist-packages/yaml/parser.py", line 428, in
> parse_block_mapping_key if self.check_token(KeyToken):
>   File "/usr/lib/python2.7/dist-packages/yaml/scanner.py", line 116, in
> check_token self.fetch_more_tokens()
>   File "/usr/lib/python2.7/dist-packages/yaml/scanner.py", line 252, in
> fetch_more_tokens return self.fetch_plain()
>   File "/usr/lib/python2.7/dist-packages/yaml/scanner.py", line 672, in
> fetch_plain self.save_possible_simple_key()
>   File "/usr/lib/python2.7/dist-packages/yaml/scanner.py", line 302, in
> save_possible_simple_key assert self.allow_simple_key or not required
> AssertionError

In fact, there's an upstream commit to address it now:

https://bitbucket.org/xi/pyyaml/commits/ddf211a41bb231c365fece5599b7e484e6dc33fc

I'm happy to prepare an unstable update.  Do you know if it's decided if this 
gets a separate CVE number or not?

Scott K
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20141212/0a633f09/attachment.sig>

More information about the Python-modules-team mailing list