Bug 26405 - python-yaml new security issue CVE-2020-1747
Summary: python-yaml new security issue CVE-2020-1747
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-04-01 00:20 CEST by David Walser
Modified: 2020-04-03 00:50 CEST (History)
7 users (show)

See Also:
Source RPM: python-yaml-5.1.2-3.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-04-01 00:20:29 CEST 
Fedora has issued an advisory on March 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/

The issue is fixed upstream in 5.3.1.

Mageia 7 is also affected.
David Walser 2020-04-01 00:20:51 CEST

Status comment: (none) => Fixed upstream in 5.3.1
CC: (none) => bruno, jani.valimaa

Comment 1 David GEIGER 2020-04-01 06:14:30 CEST 
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2020-04-01 22:23:33 CEST 
Advisory:
========================

Updated python-yaml packages fix security vulnerability:

A vulnerability was discovered in the PyYAML library, where it is susceptible
to arbitrary code execution when it processes untrusted YAML files through the
full_load method or with the FullLoader loader. Applications that use the
library to process untrusted input may be vulnerable to this flaw. An attacker
could use this flaw to execute arbitrary code on the system by abusing the
python/object/new constructor (CVE-2020-1747).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1747
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/
========================

Updated packages in core/updates_testing:
========================
python2-yaml-5.3.1-1.mga7
python3-yaml-5.3.1-1.mga7

from python-yaml-5.3.1-1.mga7.src.rpm

Version: Cauldron => 7
Assignee: python => qa-bugs
Status comment: Fixed upstream in 5.3.1 => (none)

Comment 3 Len Lawrence 2020-04-02 12:02:14 CEST 
mga7, x86_64

No PoC found for CVE-2020-1747
Went straight ahead and updated the packages.

Used by ansible and rednotebook.

Referring to earlier bug https://bugs.mageia.org/show_bug.cgi?id=23242 for tests based on the tutorial at https://pyyaml.org/wiki/PyYAMLDocumentation.

The test scripts for python and python3 succeeded for the first seven tests then failed on test 8, just as before.

Easier to test rednotebook than ansible.  Installed rednotebook and updated the system menus.  Found it under Office in Applications and launched it OK.
Closed it and ran it from the command-line under strace.  Made an entry for today and saved it then added a photo, viewed the text and picture in the preview and saved it again.  Closed down.  Checked ~/.rednotebook/diary to see that the new entry had been saved.  It was there and python-yaml appeared in the trace.  So that looks good.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-04-02 17:17:31 CEST 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-04-03 00:17:45 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2020-04-03 00:50:01 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0155.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.