Commit 9ff5d022 authored by Leo's avatar Leo

main/py-yaml: fix CVE-2020-14343

parent 54627c2b
Pipeline #68578 failed with stages
in 12 minutes and 41 seconds
......@@ -4,7 +4,7 @@
pkgname=py-yaml
_pkgname=PyYAML
pkgver=5.1.1
pkgrel=0
pkgrel=1
pkgdesc="Python bindings for YAML"
url="http://pyyaml.org"
arch="all"
......@@ -12,9 +12,15 @@ license="MIT"
depends=""
makedepends="python2-dev python3-dev yaml-dev"
subpackages="py2-${pkgname#py-}:_py2 py3-${pkgname#py-}:_py3"
source="$_pkgname-$pkgver.tar.gz::https://github.com/yaml/pyyaml/archive/$pkgver.tar.gz"
source="$_pkgname-$pkgver.tar.gz::https://github.com/yaml/pyyaml/archive/$pkgver.tar.gz
CVE-2020-14343.patch
"
builddir="$srcdir/pyyaml-$pkgver"
# secfixes:
# 5.1.1-r1:
# - CVE-2020-14343
build() {
cd "$builddir"
python2 setup.py build
......@@ -49,4 +55,5 @@ _py() {
$python setup.py install --prefix=/usr --root="$subpkgdir"
}
sha512sums="5c89f432b370990702db74b1e54fa185c38d2666377d3325aebcbb4841897aa2039b10a2c8196ce7ed4bb1300a854312335d3475821d785016190d70195f1480 PyYAML-5.1.1.tar.gz"
sha512sums="5c89f432b370990702db74b1e54fa185c38d2666377d3325aebcbb4841897aa2039b10a2c8196ce7ed4bb1300a854312335d3475821d785016190d70195f1480 PyYAML-5.1.1.tar.gz
5be8fca758d0c56eac0d96d095c12e56dfbdec342ec11d4d97b2b023560b883cd8c09e89b8dabe204c1b44c111c5d8a0a4af0e3aab3f1549b5dc745857e2175e CVE-2020-14343.patch"
From 7adc0db3f613a82669f2b168edd98379b83adb3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ingy=20d=C3=B6t=20Net?= <ingy@ingy.net>
Date: Sat, 9 Jan 2021 10:53:23 -0500
Subject: [PATCH] Fix for CVE-2020-14343
Per suggestion https://github.com/yaml/pyyaml/issues/420#issuecomment-663888344
move a few constructors from full_load to unsafe_load.
---
lib/yaml/constructor.py | 24 ++++++++++++------------
lib3/yaml/constructor.py | 24 ++++++++++++------------
tests/lib/test_recursive.py | 2 +-
tests/lib3/test_recursive.py | 2 +-
4 files changed, 26 insertions(+), 26 deletions(-)
diff --git a/lib/yaml/constructor.py b/lib/yaml/constructor.py
index 794681cb..c42ee344 100644
--- a/lib/yaml/constructor.py
+++ b/lib/yaml/constructor.py
@@ -722,18 +722,6 @@ def construct_python_object_new(self, suffix, node):
u'tag:yaml.org,2002:python/name:',
FullConstructor.construct_python_name)
-FullConstructor.add_multi_constructor(
- u'tag:yaml.org,2002:python/module:',
- FullConstructor.construct_python_module)
-
-FullConstructor.add_multi_constructor(
- u'tag:yaml.org,2002:python/object:',
- FullConstructor.construct_python_object)
-
-FullConstructor.add_multi_constructor(
- u'tag:yaml.org,2002:python/object/new:',
- FullConstructor.construct_python_object_new)
-
class UnsafeConstructor(FullConstructor):
def find_python_module(self, name, mark):
@@ -750,6 +738,18 @@ def set_python_instance_state(self, instance, state):
return super(UnsafeConstructor, self).set_python_instance_state(
instance, state, unsafe=True)
+UnsafeConstructor.add_multi_constructor(
+ u'tag:yaml.org,2002:python/module:',
+ UnsafeConstructor.construct_python_module)
+
+UnsafeConstructor.add_multi_constructor(
+ u'tag:yaml.org,2002:python/object:',
+ UnsafeConstructor.construct_python_object)
+
+UnsafeConstructor.add_multi_constructor(
+ u'tag:yaml.org,2002:python/object/new:',
+ UnsafeConstructor.construct_python_object_new)
+
UnsafeConstructor.add_multi_constructor(
u'tag:yaml.org,2002:python/object/apply:',
UnsafeConstructor.construct_python_object_apply)
diff --git a/lib3/yaml/constructor.py b/lib3/yaml/constructor.py
index 1948b125..619acd30 100644
--- a/lib3/yaml/constructor.py
+++ b/lib3/yaml/constructor.py
@@ -710,18 +710,6 @@ def construct_python_object_new(self, suffix, node):
'tag:yaml.org,2002:python/name:',
FullConstructor.construct_python_name)
-FullConstructor.add_multi_constructor(
- 'tag:yaml.org,2002:python/module:',
- FullConstructor.construct_python_module)
-
-FullConstructor.add_multi_constructor(
- 'tag:yaml.org,2002:python/object:',
- FullConstructor.construct_python_object)
-
-FullConstructor.add_multi_constructor(
- 'tag:yaml.org,2002:python/object/new:',
- FullConstructor.construct_python_object_new)
-
class UnsafeConstructor(FullConstructor):
def find_python_module(self, name, mark):
@@ -738,6 +726,18 @@ def set_python_instance_state(self, instance, state):
return super(UnsafeConstructor, self).set_python_instance_state(
instance, state, unsafe=True)
+UnsafeConstructor.add_multi_constructor(
+ 'tag:yaml.org,2002:python/module:',
+ UnsafeConstructor.construct_python_module)
+
+UnsafeConstructor.add_multi_constructor(
+ 'tag:yaml.org,2002:python/object:',
+ UnsafeConstructor.construct_python_object)
+
+UnsafeConstructor.add_multi_constructor(
+ 'tag:yaml.org,2002:python/object/new:',
+ UnsafeConstructor.construct_python_object_new)
+
UnsafeConstructor.add_multi_constructor(
'tag:yaml.org,2002:python/object/apply:',
UnsafeConstructor.construct_python_object_apply)
diff --git a/tests/lib/test_recursive.py b/tests/lib/test_recursive.py
index 312204ea..04c57985 100644
--- a/tests/lib/test_recursive.py
+++ b/tests/lib/test_recursive.py
@@ -30,7 +30,7 @@ def test_recursive(recursive_filename, verbose=False):
output2 = None
try:
output1 = yaml.dump(value1)
- value2 = yaml.load(output1, yaml.FullLoader)
+ value2 = yaml.load(output1, yaml.UnsafeLoader)
output2 = yaml.dump(value2)
assert output1 == output2, (output1, output2)
finally:
diff --git a/tests/lib3/test_recursive.py b/tests/lib3/test_recursive.py
index 74c2ee65..08042c81 100644
--- a/tests/lib3/test_recursive.py
+++ b/tests/lib3/test_recursive.py
@@ -31,7 +31,7 @@ def test_recursive(recursive_filename, verbose=False):
output2 = None
try:
output1 = yaml.dump(value1)
- value2 = yaml.full_load(output1)
+ value2 = yaml.unsafe_load(output1)
output2 = yaml.dump(value2)
assert output1 == output2, (output1, output2)
finally:
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment