Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 26 Jun 2018 21:18:39 -0400
From: Alex Gaynor <alex.gaynor@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE for PyYAML RCE-factory API

In releases of PyYAML < 4.1 using the `yaml.load()` API on untrusted input
could lead to arbitrary code execution. Instead, users were advised to use
the `yaml.safe_load()` API.

Starting with the PyYAML 4.1 release, the `yaml.load()` API has been made
safe-by-default. Users wishing to opt into the old behavior and produce
RCEs (or who trust their input) can use the `yaml.danger_load`.

Because of the degree to which this API presented a footgun, I would like
to request a CVE for it.

Alex

-- 
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: D1B3 ADC0 E023 8CA6

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ