Bug 28205

Summary: python-yaml new security issue CVE-2020-14343
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, mageia, ouaurelien, sysadmin-bugs, zombie_ryushu
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: python-yaml-5.3.1-1.mga8.src.rpm CVE: CVE-2020-14343
Status comment:

Description David Walser 2021-01-23 19:58:22 CET 
Fedora has issued an advisory today (January 23):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MMQXSZXNJT6ERABJZAAICI3DQSQLCP3D/

The issue is fixed upstream in 5.4 (Fedora updated to 5.4.1).

Mageia 7 is also affected.
David Walser 2021-01-23 19:58:41 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 5.4

Comment 1 Lewis Smith 2021-01-23 21:35:51 CET 
Unsure whether this sort of thing should go to individual developers, or the Python group. CC'ing DavidG who did last update.

CC: (none) => geiger.david68210
Assignee: bugsquad => python

Comment 2 Nicolas Lécureuil 2021-01-24 09:50:31 CET 
fixed in cauldron

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
CC: (none) => mageia

Comment 3 David Walser 2021-01-24 13:03:21 CET 
Patched in python-yaml-5.3.1-2.mga8.
Comment 4 Zombie Ryushu 2021-02-20 09:39:34 CET 
*** Bug 28386 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu

Comment 5 Nicolas Lécureuil 2021-03-04 18:46:32 CET 
patch added in mga7: 

src:
    - python-yaml-5.3.1-1.1.mga7

Assignee: python => qa-bugs
Status comment: Fixed upstream in 5.4 => (none)

Comment 6 David Walser 2021-03-04 22:30:58 CET 
RPMs:
python2-yaml-5.3.1-1.1.mga7
python3-yaml-5.3.1-1.1.mga7
Comment 7 David Walser 2021-03-05 00:49:17 CET 
Advisory:
========================

Updated python-yaml packages fix security vulnerability:

A vulnerability was discovered in the PyYAML library, where it is susceptible
to arbitrary code execution when it processes untrusted YAML files through the
full_load method or with the FullLoader loader. Applications that use the
library to process untrusted input may be vulnerable to this flaw. This flaw
allows an attacker to execute arbitrary code on the system by abusing the
python/object/new constructor. This flaw is due to an incomplete fix for
CVE-2020-1747 (CVE-2020-14343).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14343
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MMQXSZXNJT6ERABJZAAICI3DQSQLCP3D/
Comment 8 Herman Viaene 2021-03-08 14:45:10 CET 
MGA7-64 MATE on Peaq C1011
No installation issues.
Ref bug 23242 for tests: testfiles all failed with tracebacks given, not my cup of tea.
Recurred to using rednotebook as refered in bug 23242 Comment 14 and that  worked OK: added some text and a picture to the journal, closed and reopened it: seems OK

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 9 Thomas Andrews 2021-03-08 17:01:02 CET 
Validating. Advisory in Comment 7.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 10 Aurelien Oudelet 2021-03-11 22:16:24 CET 
Advisory commited to SVN.

CVE: (none) => CVE-2020-14343
CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 11 Mageia Robot 2021-03-12 02:27:23 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0119.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED