[Python-modules-team] Bug#772815: marked as done (pyyaml: CVE-2014-9130)

[Debian Bug Tracking System]

Your message dated Fri, 12 Dec 2014 15:40:11 +0000
with message-id <e1xzskb-00034c...@franck.debian.org>
and subject line Bug#772815: fixed in pyyaml 3.11-2
has caused the Debian Bug report #772815,
regarding pyyaml: CVE-2014-9130
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
772815: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772815
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: pyyaml
Severity: grave
Tags: security

Hi,
CVE-2014-9130 from libyaml also affects pyyaml. I'm attaching a short
reproducer.

Cheers,
        Moritz

import yaml
import codecs

with codecs.open('CVE-2014-9130.yaml', 'r') as stream:
	foo = yaml.load(stream)
	for key, value in foo.items():
		setattr(self, key, value)

abc: 
   def: 'xxx
'  ghi: 'yyy'

--- End Message ---

--- Begin Message ---

Source: pyyaml
Source-Version: 3.11-2

We believe that the bug you reported is fixed in the latest version of
pyyaml, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Scott Kitterman <sc...@kitterman.com> (supplier of updated pyyaml package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 12 Dec 2014 08:35:37 -0500
Source: pyyaml
Binary: python-yaml python-yaml-dbg python3-yaml python3-yaml-dbg
Architecture: source amd64
Version: 3.11-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team 
<python-modules-team@lists.alioth.debian.org>
Changed-By: Scott Kitterman <sc...@kitterman.com>
Description:
 python-yaml - YAML parser and emitter for Python
 python-yaml-dbg - YAML parser and emitter for Python (debug build)
 python3-yaml - YAML parser and emitter for Python3
 python3-yaml-dbg - YAML parser and emitter for Python3 (debug build)
Closes: 772815
Changes:
 pyyaml (3.11-2) unstable; urgency=medium
 .
   * Backport security fix for Reachable Assertion security issue (potential
     remote DoS) - CVE-2014-9130 (Closes: #772815)
     - Add debian/patches/CVE-2014-9130-invalid-key-assert.diff
Checksums-Sha1:
 f055bc7bfb9ed0cb7e83e1d05b3980af54e8ef31 2206 pyyaml_3.11-2.dsc
 dfaa0ff31500f3bd8387b168971aaa7c1a092c6a 6638 pyyaml_3.11-2.diff.gz
 b109c5b8c26375b484d399526c4b8eae51cf034d 111926 python-yaml_3.11-2_amd64.deb
 aa0d5a95d02b0e1c48c5be760667d6af415fe46b 85576 python-yaml-dbg_3.11-2_amd64.deb
 314ee70d3d5abd7a6c6e3c3db34b54e0e22569db 101710 python3-yaml_3.11-2_amd64.deb
 e64251b63d6f728e0ecbe4721d17da66b6276b66 83796 
python3-yaml-dbg_3.11-2_amd64.deb
Checksums-Sha256:
 351634320968bc8df4da50c01903b25ddd510a87b0596c02400f3dc62385bff7 2206 
pyyaml_3.11-2.dsc
 09c12f8d975147929fdf719dbee47c2e9349797da096082c811191ecee4e0773 6638 
pyyaml_3.11-2.diff.gz
 d96d79995c3c49a7fbfcb5e25dbac8393fecf0dd0196293dd25b2da00549b1da 111926 
python-yaml_3.11-2_amd64.deb
 38dbfdd97487f33f7c9e8bbef115d81d2d8d4d6a8815abbf59555be18e14010f 85576 
python-yaml-dbg_3.11-2_amd64.deb
 ef4325632959c3443a4a3c08ef76bd27bb58d11bdb16a5d5ce04ffd38f1f0be8 101710 
python3-yaml_3.11-2_amd64.deb
 a43726dc9258928c7bab4bceadcafe1f7115e0d1e5f3268959472bcd949094cb 83796 
python3-yaml-dbg_3.11-2_amd64.deb
Files:
 514e023c3e5af734b996bf7da509a932 2206 python optional pyyaml_3.11-2.dsc
 2e1a6f55b49616e24cc68bd79699bb8d 6638 python optional pyyaml_3.11-2.diff.gz
 c5775c11b2492888b00f8807d78cd28e 111926 python optional 
python-yaml_3.11-2_amd64.deb
 fbb19aecf4d48c0072e2db813e1c75f8 85576 debug extra 
python-yaml-dbg_3.11-2_amd64.deb
 ad344541546c22467b70ae9bc400aa0b 101710 python optional 
python3-yaml_3.11-2_amd64.deb
 53fa5f5b4adf24c16407ca165c95f5f1 83796 debug extra 
python3-yaml-dbg_3.11-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUivWOAAoJEHjX3vua1ZrxgfMQAMIfIZ7H7DPgPjOfa61zwL3f
H4II9jMJ3Fct0nFeWDBtld37p8Wz8nJTzFsWsy7DAUm+6A/a+tUgwQaN1My/sY6w
2Kq4dK9qMzTuXTJqbyuMGy+4UiR5LW16BPqlui32pzWysb2HWEbSGmHuV49s1RFm
lICEeFUf4DrnIjZXjW0pn+CE3TWNuzLxS+vAmvDfxRnQPXoKBxbigb5xxHdKJIIj
23KkN2+QrONL4n8h2AFIe/o28A5q9smXFtec6UtroTcRGOdqaybj/HLe3mhu+YIo
HTmJDDLuHm3F0Onyv9NAeFLL5b9vyygHag+0U9HCedOKqaTs5idCMKIwCUfYiG/x
gpufrwSahXn9sZEWmdtYHMwQuENzcgMyHMukId9ym52UpLu6Xt0mRPsGKKVs74iQ
UqS1tqUNZ7adTY0OdPfIlbSzZe7P7flZ47qbtauR4IgBwKiye5Rd4rgcVgoVv3Og
swuvqVD49uXFlnMmTcVxEQzKUK8sMkKzyPjz/dRrvmwmlCU6tvKlD7qSTjVsICQT
JblkK2ATHpHsDcCFfFcWQMtN8NjbTZG9VZozJ0ul1HHgMMB0ImPv3AZUtCnxz2H7
Jd0QrMo6x7uII3vALLYQOzH6w7t13iQn2D2EFgLYuKQDh5eGzNaWw4EcAu6uuNPS
LDiFfFsBKdB98x4Ol/0u
=sUUe
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
Python-modules-team mailing list
Python-modules-team@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team