On Mon, May 18, 2020 at 6:56 AM Jack Ostroff <ostrof...@aya.yale.edu> wrote: > > Ben/sysadmins,
Hi Jack, > > git-kpull failed for me on Gentoo, due to an apparently long-open CVE > for pyyaml. See https://bugs.gentoo.org/659348 for more information. > The suggested fix (in comment 14 of that bug) is "you'll need to patch > out those unsafe calls. Look for calls to "yaml.load()" and replace > them with calls to "yaml.full_load()" (or "yaml.safe_load()" if you > know what you're doing). See upstream issue #265 > [https://github.com/yaml/pyyaml/issues/265] for details. > > In my case, the single change on line 36 of git-kpull: > - metadata = yaml.load( metadataFile ) > + metadata = yaml.full_load( metadataFile ) > > I don't know enough python to know whether yaml.safe-load() would work > or not and whether it would be any better or not. Thanks for pointing this out. In our case the YAML files we have are very plain and basic, so should be totally fine with yaml.safe_load. I have now switched the scripts over to use that. > > Jack Cheers, Ben
