[Python-modules-team] Bug#902878: pyyaml: CVE-2017-18342: still not completely fixed

Scott Kitterman debian at kitterman.com
Mon Aug 5 07:40:10 BST 2019


On Thu, 11 Jul 2019 10:16:48 +0300 merkys at debian.org wrote:
> Hello,
> 
> According to [1] the unsafe loader yaml.UnsafeLoader is still
> vulnerable, and could be used upon request. While strictly speaking the
> vulnerability is fixed by using safe reader by default, I assume
> complete safety can only be achieved by disabling the yaml.UnsafeLoader.
> 
> Best,
> Andrius
> 
> [1] https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation

As far as I've checked, all yaml parsers have an unsafe option.  It's 
perfectly appropriate to use on sanitized input.  It's up to the calling 
library to do it correctly.  The change requires explicit selection of a 
loader, so any program using the unsafe loader will be doing it on purpose.  
If they do it well or poorly is up to the calling program, not pyyaml.

The fixed version, 5.1.2-1 is now in sid.  I just filed 7 RC bugs for packages I 
found that had been using the unsafe loader, so I really think this will do 
it.

Scott K



More information about the Python-modules-team mailing list