On Friday, December 12, 2014 08:17:17 AM Scott Kitterman wrote: > On Friday, December 12, 2014 07:33:25 AM Salvatore Bonaccorso wrote: > > Hi Scott, > > > > On Thu, Dec 11, 2014 at 07:09:11AM -0500, Scott Kitterman wrote: > > > On December 11, 2014 6:37:51 AM EST, Moritz Muehlenhoff <j...@inutil.org> > > wrote: > > > >Package: pyyaml > > > >Severity: grave > > > >Tags: security > > > > > > > >Hi, > > > >CVE-2014-9130 from libyaml also affects pyyaml. I'm attaching a short > > > >reproducer. > > > > > > I'm away from any computer I could test this on today. > > > > > > Is this still a problem with a fixed libyaml? Our pyyaml is built > > > against it and I thought didn't use the internal parser. > > > > It seems so, and there was some discussion on the oss-security list > > (also about if this should get a separate CVE for pyyaml)[0]. > > > > [0] http://www.openwall.com/lists/oss-security/2014/11/28/8 > > > > On up-to-date unstable the reproducer gives: > > > > Traceback (most recent call last): > > File "CVE-2014-9130.py", line 5, in <module> ... > > > > save_possible_simple_key assert self.allow_simple_key or not required > > AssertionError > > In fact, there's an upstream commit to address it now: > > https://bitbucket.org/xi/pyyaml/commits/ddf211a41bb231c365fece5599b7e484e6dc > 33fc > > I'm happy to prepare an unstable update. Do you know if it's decided if > this gets a separate CVE number or not? > > Scott K
Confirmed that with the upstream fix the assert is resolved and it's a regular
error now:
Traceback (most recent call last):
File "CVE-2014-9130.py", line 5, in <module>
foo = yaml.load(stream)
File "/usr/lib/python3/dist-packages/yaml/__init__.py", line 72, in load
return loader.get_single_data()
File "/usr/lib/python3/dist-packages/yaml/constructor.py", line 35, in
get_single_data
node = self.get_single_node()
File "/usr/lib/python3/dist-packages/yaml/composer.py", line 36, in
get_single_node
document = self.compose_document()
File "/usr/lib/python3/dist-packages/yaml/composer.py", line 55, in
compose_document
node = self.compose_node(None, None)
File "/usr/lib/python3/dist-packages/yaml/composer.py", line 84, in
compose_node
node = self.compose_mapping_node(anchor)
File "/usr/lib/python3/dist-packages/yaml/composer.py", line 133, in
compose_mapping_node
item_value = self.compose_node(node, item_key)
File "/usr/lib/python3/dist-packages/yaml/composer.py", line 84, in
compose_node
node = self.compose_mapping_node(anchor)
File "/usr/lib/python3/dist-packages/yaml/composer.py", line 127, in
compose_mapping_node
while not self.check_event(MappingEndEvent):
File "/usr/lib/python3/dist-packages/yaml/parser.py", line 98, in
check_event
self.current_event = self.state()
File "/usr/lib/python3/dist-packages/yaml/parser.py", line 439, in
parse_block_mapping_key
"expected <block end>, but found %r" % token.id, token.start_mark)
yaml.parser.ParserError: while parsing a block mapping
in "CVE-2014-9130.yaml", line 2, column 4
expected <block end>, but found '<scalar>'
in "CVE-2014-9130.yaml", line 3, column 4
I'll upload to unstable shortly. If the CVE number changes, I guess we'll
clean up the paperwork when/if it does.
Scott K
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
