Debian has issued an advisory on December 29: https://www.debian.org/security/2014/dsa-3115 According to this message from MITRE in the discussion on oss-security, for python-yaml specifically, this is technically not CVE-2014-9130, and the question of whether it's actually a security issue was not resolved. However, given that it's just the exact same bug as CVE-2014-9130, only written in Python instead of C, it's not apparent to me why it wouldn't be. We previously dealt with this CVE in Bug 14689. Fixing it in libyaml fixed it for most languages as they just used the C library, and the perl module had a copy of the same C code, so we had to fix that as well. python-yaml has rewritten the same assertion in Python, so it needs to be fixed there as well (and Debian obviously agreed). There's a lot more information in the Debian bug, including a PoC: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772815 Another PoC based on the ones from before would be: #!/usr/bin/python import yaml mystr = " x: \"\n\"x" for obj in yaml.parse(mystr): print obj which when executed, gives output that ends in: assert self.allow_simple_key or not required AssertionError after the update it'll end with this regular error instead: "expected <block end>, but found %r" % token.id, token.start_mark) yaml.parser.ParserError: while parsing a block mapping in "<string>", line 1, column 2: x: " ^ expected <block end>, but found '<scalar>' in "<string>", line 2, column 2: "x ^ Olivier also wrote a script to test general functionality here: https://bugs.mageia.org/show_bug.cgi?id=14689#c5 Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated python-yaml packages fix security vulnerability: Jonathan Gray and Stanislaw Pitucha found an assertion failure in the way wrapped strings are parsed in Python-YAML, a YAML parser and emitter for Python. An attacker able to load specially crafted YAML input into an application using python-yaml could cause the application to crash. This issue is similar to CVE-2014-9130, but the assertion was independently implemented in Python-YAML. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9130 http://advisories.mageia.org/MGASA-2014-0508.html https://www.debian.org/security/2014/dsa-3115 ======================== Updated packages in core/updates_testing: ======================== python-yaml-3.10-5.1.mga4 python3-yaml-3.10-5.1.mga4 from python-yaml-3.10-5.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => has_procedure MGA4-32-OK
test done
CC: (none) => makowski.mageiaWhiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-64-OK MGA4-32-OK
Thanks Philippe. Validating. Advisory uploaded. The mitre url is included as a reference as no actual CVE is specified for this update. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0004.html
Status: NEW => RESOLVEDResolution: (none) => FIXED