aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2021-01-19 22:58:06 -0300
committerLeo <thinkabit.ukim@gmail.com>2021-01-20 03:10:22 +0000
commitd5c2962f309748782a8127806bbe94d8a5a79fd3 (patch)
tree9a03f52fc07b46501a162504b2c4dd266138db4e
parenta15f7a721b787ee1e4adfc0b085fa7e7dbd2d961 (diff)
main/py3-yaml: fix CVE-2020-14343
Diffstat
-rw-r--r--main/py3-yaml/APKBUILD11
-rw-r--r--main/py3-yaml/CVE-2020-14343.patch124
2 files changed, 132 insertions, 3 deletions
diff --git a/main/py3-yaml/APKBUILD b/main/py3-yaml/APKBUILD
index 6938115c3e6..95cb6bc9299 100644
--- a/main/py3-yaml/APKBUILD
+++ b/main/py3-yaml/APKBUILD
@@ -4,20 +4,24 @@
pkgname=py3-yaml
_pkgname=PyYAML
pkgver=5.3.1
-pkgrel=1
+pkgrel=2
pkgdesc="Python3 bindings for YAML"
url="http://pyyaml.org"
arch="all"
license="MIT"
depends="python3"
makedepends="python3-dev yaml-dev cython"
-source="$_pkgname-$pkgver.tar.gz::https://github.com/yaml/pyyaml/archive/$pkgver.tar.gz"
+source="$_pkgname-$pkgver.tar.gz::https://github.com/yaml/pyyaml/archive/$pkgver.tar.gz
+ CVE-2020-14343.patch
+ "
builddir="$srcdir/pyyaml-$pkgver"
replaces="py-yaml" # Backwards compatibility
provides="py-yaml=$pkgver-r$pkgrel" # Backwards compatibility
# secfixes:
+# 5.3.1-r2:
+# - CVE-2020-14343
# 5.3.1-r0:
# - CVE-2020-1747
@@ -38,4 +42,5 @@ package() {
python3 setup.py install --prefix=/usr --root="$pkgdir"
}
-sha512sums="27d97e8493c7660c7c0c471e20a8aa46c85431e4559a98bcbdafc2bd89a67fd04c6f2090e54ff6b206c868b33635ef8be68070a4c25d17a25c97fd5ad3549556 PyYAML-5.3.1.tar.gz"
+sha512sums="27d97e8493c7660c7c0c471e20a8aa46c85431e4559a98bcbdafc2bd89a67fd04c6f2090e54ff6b206c868b33635ef8be68070a4c25d17a25c97fd5ad3549556 PyYAML-5.3.1.tar.gz
+5be8fca758d0c56eac0d96d095c12e56dfbdec342ec11d4d97b2b023560b883cd8c09e89b8dabe204c1b44c111c5d8a0a4af0e3aab3f1549b5dc745857e2175e CVE-2020-14343.patch"
diff --git a/main/py3-yaml/CVE-2020-14343.patch b/main/py3-yaml/CVE-2020-14343.patch
new file mode 100644
index 00000000000..214639d17a8
--- /dev/null
+++ b/main/py3-yaml/CVE-2020-14343.patch
@@ -0,0 +1,124 @@
+From 7adc0db3f613a82669f2b168edd98379b83adb3c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ingy=20d=C3=B6t=20Net?= <ingy@ingy.net>
+Date: Sat, 9 Jan 2021 10:53:23 -0500
+Subject: [PATCH] Fix for CVE-2020-14343
+
+Per suggestion https://github.com/yaml/pyyaml/issues/420#issuecomment-663888344
+move a few constructors from full_load to unsafe_load.
+---
+ lib/yaml/constructor.py | 24 ++++++++++++------------
+ lib3/yaml/constructor.py | 24 ++++++++++++------------
+ tests/lib/test_recursive.py | 2 +-
+ tests/lib3/test_recursive.py | 2 +-
+ 4 files changed, 26 insertions(+), 26 deletions(-)
+
+diff --git a/lib/yaml/constructor.py b/lib/yaml/constructor.py
+index 794681cb..c42ee344 100644
+--- a/lib/yaml/constructor.py
++++ b/lib/yaml/constructor.py
+@@ -722,18 +722,6 @@ def construct_python_object_new(self, suffix, node):
+ u'tag:yaml.org,2002:python/name:',
+ FullConstructor.construct_python_name)
+
+-FullConstructor.add_multi_constructor(
+- u'tag:yaml.org,2002:python/module:',
+- FullConstructor.construct_python_module)
+-
+-FullConstructor.add_multi_constructor(
+- u'tag:yaml.org,2002:python/object:',
+- FullConstructor.construct_python_object)
+-
+-FullConstructor.add_multi_constructor(
+- u'tag:yaml.org,2002:python/object/new:',
+- FullConstructor.construct_python_object_new)
+-
+ class UnsafeConstructor(FullConstructor):
+
+ def find_python_module(self, name, mark):
+@@ -750,6 +738,18 @@ def set_python_instance_state(self, instance, state):
+ return super(UnsafeConstructor, self).set_python_instance_state(
+ instance, state, unsafe=True)
+
++UnsafeConstructor.add_multi_constructor(
++ u'tag:yaml.org,2002:python/module:',
++ UnsafeConstructor.construct_python_module)
++
++UnsafeConstructor.add_multi_constructor(
++ u'tag:yaml.org,2002:python/object:',
++ UnsafeConstructor.construct_python_object)
++
++UnsafeConstructor.add_multi_constructor(
++ u'tag:yaml.org,2002:python/object/new:',
++ UnsafeConstructor.construct_python_object_new)
++
+ UnsafeConstructor.add_multi_constructor(
+ u'tag:yaml.org,2002:python/object/apply:',
+ UnsafeConstructor.construct_python_object_apply)
+diff --git a/lib3/yaml/constructor.py b/lib3/yaml/constructor.py
+index 1948b125..619acd30 100644
+--- a/lib3/yaml/constructor.py
++++ b/lib3/yaml/constructor.py
+@@ -710,18 +710,6 @@ def construct_python_object_new(self, suffix, node):
+ 'tag:yaml.org,2002:python/name:',
+ FullConstructor.construct_python_name)
+
+-FullConstructor.add_multi_constructor(
+- 'tag:yaml.org,2002:python/module:',
+- FullConstructor.construct_python_module)
+-
+-FullConstructor.add_multi_constructor(
+- 'tag:yaml.org,2002:python/object:',
+- FullConstructor.construct_python_object)
+-
+-FullConstructor.add_multi_constructor(
+- 'tag:yaml.org,2002:python/object/new:',
+- FullConstructor.construct_python_object_new)
+-
+ class UnsafeConstructor(FullConstructor):
+
+ def find_python_module(self, name, mark):
+@@ -738,6 +726,18 @@ def set_python_instance_state(self, instance, state):
+ return super(UnsafeConstructor, self).set_python_instance_state(
+ instance, state, unsafe=True)
+
++UnsafeConstructor.add_multi_constructor(
++ 'tag:yaml.org,2002:python/module:',
++ UnsafeConstructor.construct_python_module)
++
++UnsafeConstructor.add_multi_constructor(
++ 'tag:yaml.org,2002:python/object:',
++ UnsafeConstructor.construct_python_object)
++
++UnsafeConstructor.add_multi_constructor(
++ 'tag:yaml.org,2002:python/object/new:',
++ UnsafeConstructor.construct_python_object_new)
++
+ UnsafeConstructor.add_multi_constructor(
+ 'tag:yaml.org,2002:python/object/apply:',
+ UnsafeConstructor.construct_python_object_apply)
+diff --git a/tests/lib/test_recursive.py b/tests/lib/test_recursive.py
+index 312204ea..04c57985 100644
+--- a/tests/lib/test_recursive.py
++++ b/tests/lib/test_recursive.py
+@@ -30,7 +30,7 @@ def test_recursive(recursive_filename, verbose=False):
+ output2 = None
+ try:
+ output1 = yaml.dump(value1)
+- value2 = yaml.load(output1, yaml.FullLoader)
++ value2 = yaml.load(output1, yaml.UnsafeLoader)
+ output2 = yaml.dump(value2)
+ assert output1 == output2, (output1, output2)
+ finally:
+diff --git a/tests/lib3/test_recursive.py b/tests/lib3/test_recursive.py
+index 74c2ee65..08042c81 100644
+--- a/tests/lib3/test_recursive.py
++++ b/tests/lib3/test_recursive.py
+@@ -31,7 +31,7 @@ def test_recursive(recursive_filename, verbose=False):
+ output2 = None
+ try:
+ output1 = yaml.dump(value1)
+- value2 = yaml.full_load(output1)
++ value2 = yaml.unsafe_load(output1)
+ output2 = yaml.dump(value2)
+ assert output1 == output2, (output1, output2)
+ finally:
generated by cgit v1.2.3 (git 2.41.0) at 2023-09-29 07:21:08 +0000