Bug#879702: stretch-pu: package python-tablib/0.9.11-2 (CVE-2017-2810)

Tue, 24 Oct 2017 12:24:41 -0700 

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

Hi,

The attached debdiff shows the fix for CVE-2017-2810. The package is
available here:

http://sid.gplhost.com/stretch-proposed-updates/python-tablib/

The security team thinks we should go for a stretch-pu. Please allow me
to upload the fix.

Should I upload the .changes including the orig file?

Cheers,

Thomas Goirand (zigo)

diff -Nru python-tablib-0.9.11/debian/changelog 
python-tablib-0.9.11/debian/changelog
--- python-tablib-0.9.11/debian/changelog       2013-05-12 14:21:10.000000000 
+0200
+++ python-tablib-0.9.11/debian/changelog       2017-10-24 21:15:19.000000000 
+0200
@@ -1,3 +1,9 @@
+python-tablib (0.9.11-2+deb9u1) stretch; urgency=low
+
+  * CVE-2017-2810: apply upstream patch: use safe load (Closes: #864818).
+
+ -- Thomas Goirand <z...@debian.org>  Tue, 24 Oct 2017 21:15:19 +0200
+
 python-tablib (0.9.11-2) unstable; urgency=low
 
   * Uploading to unstable.
diff -Nru python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch 
python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch
--- python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch       
1970-01-01 01:00:00.000000000 +0100
+++ python-tablib-0.9.11/debian/patches/CVE-2017-2810-use_safe_load.patch       
2017-10-24 21:15:19.000000000 +0200
@@ -0,0 +1,17 @@
+Description: use safe load
+Author: Kenneth Reitz <m...@kennethreitz.org>
+Origin: 
https://github.com/kennethreitz/tablib/commit/69abfc3ada5d754cb152119c0b4777043657cb6e
+Bug-Debian: https://bugs.debian.org/864818
+Last-Update: 2017-10-24
+
+--- python-tablib-0.9.11.orig/tablib/formats/_yaml.py
++++ python-tablib-0.9.11/tablib/formats/_yaml.py
+@@ -46,7 +46,7 @@ def import_book(dbook, in_stream):
+ 
+     dbook.wipe()
+ 
+-    for sheet in yaml.load(in_stream):
++    for sheet in yaml.safe_load(in_stream):
+         data = tablib.Dataset()
+         data.title = sheet['title']
+         data.dict = sheet['data']
diff -Nru python-tablib-0.9.11/debian/patches/series 
python-tablib-0.9.11/debian/patches/series
--- python-tablib-0.9.11/debian/patches/series  1970-01-01 01:00:00.000000000 
+0100
+++ python-tablib-0.9.11/debian/patches/series  2017-10-24 21:15:19.000000000 
+0200
@@ -0,0 +1 @@
+CVE-2017-2810-use_safe_load.patch

Reply via email to