Bug 28205 - python-yaml new security issue CVE-2020-14343
Summary: python-yaml new security issue CVE-2020-14343
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
: 28386 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-01-23 19:58 CET by David Walser
Modified: 2021-03-12 02:27 CET (History)
7 users (show)

See Also:
Source RPM: python-yaml-5.3.1-1.mga8.src.rpm
CVE: CVE-2020-14343
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-01-23 19:58:22 CET 
Fedora has issued an advisory today (January 23):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MMQXSZXNJT6ERABJZAAICI3DQSQLCP3D/

The issue is fixed upstream in 5.4 (Fedora updated to 5.4.1).

Mageia 7 is also affected.
David Walser 2021-01-23 19:58:41 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 5.4

Comment 1 Lewis Smith 2021-01-23 21:35:51 CET 
Unsure whether this sort of thing should go to individual developers, or the Python group. CC'ing DavidG who did last update.

CC: (none) => geiger.david68210
Assignee: bugsquad => python

Comment 2 Nicolas Lécureuil 2021-01-24 09:50:31 CET 
fixed in cauldron

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
CC: (none) => mageia

Comment 3 David Walser 2021-01-24 13:03:21 CET 
Patched in python-yaml-5.3.1-2.mga8.
Comment 4 Zombie Ryushu 2021-02-20 09:39:34 CET 
*** Bug 28386 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu

Comment 5 Nicolas Lécureuil 2021-03-04 18:46:32 CET 
patch added in mga7: 

src:
    - python-yaml-5.3.1-1.1.mga7

Assignee: python => qa-bugs
Status comment: Fixed upstream in 5.4 => (none)

Comment 6 David Walser 2021-03-04 22:30:58 CET 
RPMs:
python2-yaml-5.3.1-1.1.mga7
python3-yaml-5.3.1-1.1.mga7
Comment 7 David Walser 2021-03-05 00:49:17 CET 
Advisory:
========================

Updated python-yaml packages fix security vulnerability:

A vulnerability was discovered in the PyYAML library, where it is susceptible
to arbitrary code execution when it processes untrusted YAML files through the
full_load method or with the FullLoader loader. Applications that use the
library to process untrusted input may be vulnerable to this flaw. This flaw
allows an attacker to execute arbitrary code on the system by abusing the
python/object/new constructor. This flaw is due to an incomplete fix for
CVE-2020-1747 (CVE-2020-14343).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14343
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MMQXSZXNJT6ERABJZAAICI3DQSQLCP3D/
Comment 8 Herman Viaene 2021-03-08 14:45:10 CET 
MGA7-64 MATE on Peaq C1011
No installation issues.
Ref bug 23242 for tests: testfiles all failed with tracebacks given, not my cup of tea.
Recurred to using rednotebook as refered in bug 23242 Comment 14 and that  worked OK: added some text and a picture to the journal, closed and reopened it: seems OK

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 9 Thomas Andrews 2021-03-08 17:01:02 CET 
Validating. Advisory in Comment 7.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 10 Aurelien Oudelet 2021-03-11 22:16:24 CET 
Advisory commited to SVN.

CVE: (none) => CVE-2020-14343
CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 11 Mageia Robot 2021-03-12 02:27:23 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0119.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.