Bug 14917

Summary: python-yaml new security issue CVE-2014-9130
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: makowski.mageia, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/624807/
Whiteboard: has_procedure advisory MGA4-64-OK MGA4-32-OK
Source RPM: python-yaml-3.10-5.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-12-30 18:19:47 CET 
Debian has issued an advisory on December 29:
https://www.debian.org/security/2014/dsa-3115

According to this message from MITRE in the discussion on oss-security, for python-yaml specifically, this is technically not CVE-2014-9130, and the question of whether it's actually a security issue was not resolved.  However, given that it's just the exact same bug as CVE-2014-9130, only written in Python instead of C, it's not apparent to me why it wouldn't be.

We previously dealt with this CVE in Bug 14689.  Fixing it in libyaml fixed it for most languages as they just used the C library, and the perl module had a copy of the same C code, so we had to fix that as well.  python-yaml has rewritten the same assertion in Python, so it needs to be fixed there as well (and Debian obviously agreed).

There's a lot more information in the Debian bug, including a PoC:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772815

Another PoC based on the ones from before would be:
#!/usr/bin/python
import yaml
mystr = " x: \"\n\"x"
for obj in yaml.parse(mystr):
    print obj

which when executed, gives output that ends in:
    assert self.allow_simple_key or not required
AssertionError

after the update it'll end with this regular error instead:
    "expected <block end>, but found %r" % token.id, token.start_mark)
yaml.parser.ParserError: while parsing a block mapping
  in "<string>", line 1, column 2:
     x: "
     ^
expected <block end>, but found '<scalar>'
  in "<string>", line 2, column 2:
    "x
     ^

Olivier also wrote a script to test general functionality here:
https://bugs.mageia.org/show_bug.cgi?id=14689#c5

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated python-yaml packages fix security vulnerability:

Jonathan Gray and Stanislaw Pitucha found an assertion failure in the way
wrapped strings are parsed in Python-YAML, a YAML parser and emitter for
Python. An attacker able to load specially crafted YAML input into an
application using python-yaml could cause the application to crash.

This issue is similar to CVE-2014-9130, but the assertion was independently
implemented in Python-YAML.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9130
http://advisories.mageia.org/MGASA-2014-0508.html
https://www.debian.org/security/2014/dsa-3115
========================

Updated packages in core/updates_testing:
========================
python-yaml-3.10-5.1.mga4
python3-yaml-3.10-5.1.mga4

from python-yaml-3.10-5.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-12-30 18:19:57 CET

Whiteboard: (none) => has_procedure MGA4-32-OK

Comment 1 Philippe Makowski 2015-01-03 18:52:48 CET 
test done

CC: (none) => makowski.mageia
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 2 claire robinson 2015-01-03 19:12:22 CET 
Thanks Philippe.

Validating. Advisory uploaded. The mitre url is included as a reference as no actual CVE is specified for this update.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2015-01-05 17:31:08 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0004.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED