On Friday, December 12, 2014 07:33:25 AM Salvatore Bonaccorso wrote: > Hi Scott, > > On Thu, Dec 11, 2014 at 07:09:11AM -0500, Scott Kitterman wrote: > > On December 11, 2014 6:37:51 AM EST, Moritz Muehlenhoff <j...@inutil.org> wrote: > > >Package: pyyaml > > >Severity: grave > > >Tags: security > > > > > >Hi, > > >CVE-2014-9130 from libyaml also affects pyyaml. I'm attaching a short > > >reproducer. > > > > I'm away from any computer I could test this on today. > > > > Is this still a problem with a fixed libyaml? Our pyyaml is built > > against it and I thought didn't use the internal parser. > > It seems so, and there was some discussion on the oss-security list > (also about if this should get a separate CVE for pyyaml)[0]. > > [0] http://www.openwall.com/lists/oss-security/2014/11/28/8 > > On up-to-date unstable the reproducer gives: > > Traceback (most recent call last): > File "CVE-2014-9130.py", line 5, in <module> > foo = yaml.load(stream) > File "/usr/lib/python2.7/dist-packages/yaml/__init__.py", line 71, in load > return loader.get_single_data() > File "/usr/lib/python2.7/dist-packages/yaml/constructor.py", line 37, in > get_single_data node = self.get_single_node() > File "/usr/lib/python2.7/dist-packages/yaml/composer.py", line 36, in > get_single_node document = self.compose_document() > File "/usr/lib/python2.7/dist-packages/yaml/composer.py", line 55, in > compose_document node = self.compose_node(None, None) > File "/usr/lib/python2.7/dist-packages/yaml/composer.py", line 84, in > compose_node node = self.compose_mapping_node(anchor) > File "/usr/lib/python2.7/dist-packages/yaml/composer.py", line 133, in > compose_mapping_node item_value = self.compose_node(node, item_key) > File "/usr/lib/python2.7/dist-packages/yaml/composer.py", line 84, in > compose_node node = self.compose_mapping_node(anchor) > File "/usr/lib/python2.7/dist-packages/yaml/composer.py", line 127, in > compose_mapping_node while not self.check_event(MappingEndEvent): > File "/usr/lib/python2.7/dist-packages/yaml/parser.py", line 98, in > check_event self.current_event = self.state() > File "/usr/lib/python2.7/dist-packages/yaml/parser.py", line 428, in > parse_block_mapping_key if self.check_token(KeyToken): > File "/usr/lib/python2.7/dist-packages/yaml/scanner.py", line 116, in > check_token self.fetch_more_tokens() > File "/usr/lib/python2.7/dist-packages/yaml/scanner.py", line 252, in > fetch_more_tokens return self.fetch_plain() > File "/usr/lib/python2.7/dist-packages/yaml/scanner.py", line 672, in > fetch_plain self.save_possible_simple_key() > File "/usr/lib/python2.7/dist-packages/yaml/scanner.py", line 302, in > save_possible_simple_key assert self.allow_simple_key or not required > AssertionError
In fact, there's an upstream commit to address it now: https://bitbucket.org/xi/pyyaml/commits/ddf211a41bb231c365fece5599b7e484e6dc33fc I'm happy to prepare an unstable update. Do you know if it's decided if this gets a separate CVE number or not? Scott K
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
