[Python-modules-team] Bug#933920: src:python-markdown: Unsafe use of yaml.load()
Dmitry Shachnev
mitya57 at debian.org
Mon Aug 5 19:32:08 BST 2019
Hi Scott!
On Mon, Aug 05, 2019 at 01:32:46AM -0400, Scott Kitterman wrote:
> Package: src:python-markdown
> Version: 3.0.1-3
> Severity: grave
> Tags: security
> Justification: user security hole
>
> The new version of pyyaml no longer allows use of yaml.load() without a
> loader being specifed. This raises a deprecation warning which has
> caused and autopkgtest failure on this package. These are generally
> trivial to fix, see the upstream guidance [1].
I will now fix the use of yaml.load() for compatibility with pyyaml 5.1
(by uploading the new upstream release to unstable), but the new version
will still use unsafe_load(). Please see this upstream change:
https://github.com/Python-Markdown/markdown/pull/806
As the upstream comment explains, “We use unsafe_load because users may
need to pass in actual Python objects. As this is only available from
the CLI, the user has much worse problems if an attacker can use this
as an attack vector”.
--
Dmitry Shachnev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20190805/ed1a451e/attachment.sig>
More information about the Python-modules-team
mailing list