[Python-modules-team] Bug#953013: Bug#953013: pyyaml: CVE-2020-1747: arbitrary command execution through python/object/new when FullLoader is used
Moritz Mühlenhoff
jmm at inutil.org
Tue Mar 3 20:45:39 GMT 2020
On Tue, Mar 03, 2020 at 12:15:09PM -0500, Scott Kitterman wrote:
> On Tuesday, March 3, 2020 11:41:26 AM EST Salvatore Bonaccorso wrote:
>
> OK. If anyone has a reproducer for this, it'd be very helpful to sort it out.
>
> I think this is like the recent CVE for python-bleach where the affected code
> didn't exist in the older releases, but the issue was still demonstrable. I
> suspect that pyyaml << 5.1 will still have this problem even with the
> SafeLoader, since the FullLoader shares code with the older SafeLoader.
>
> I can see how to adapt the upstream pull request to the 3.X releases, but I
> agree it's not clear what the regression risk would be. I decided to leave
> the security tracker alone for now too.
In comparable cases in the past (can't name specific cases, but it has happened
multiple times for sure) where divergent interfaces were affected, this typically
led to two CVE IDs. I don't think anyone is really up to deal with the beaureaucracy
involved, though.
As for the regression impact I can't tell. If there's a fix which is agreed to
be non-risky and fixes the security issue, we can simply apply it independent
of the whole CVE discussion.
Cheers,
Moritz
More information about the Python-modules-team
mailing list