From 95900cae2001cd5cfe3a04b481d77d317eecd4da Mon Sep 17 00:00:00 2001 From: yun-chengzhang <1294123878@qq.com> Date: Wed, 16 Jun 2021 10:41:15 +0800 Subject: [PATCH] Fix CVE-2020-14343 --- CVE-2020-14343.patch | 124 +++++++++++++++++++++++++++++++++++++++++++ PyYAML.spec | 7 ++- 2 files changed, 130 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-14343.patch diff --git a/CVE-2020-14343.patch b/CVE-2020-14343.patch new file mode 100644 index 0000000..214639d --- /dev/null +++ b/CVE-2020-14343.patch @@ -0,0 +1,124 @@ +From 7adc0db3f613a82669f2b168edd98379b83adb3c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ingy=20d=C3=B6t=20Net?= +Date: Sat, 9 Jan 2021 10:53:23 -0500 +Subject: [PATCH] Fix for CVE-2020-14343 + +Per suggestion https://github.com/yaml/pyyaml/issues/420#issuecomment-663888344 +move a few constructors from full_load to unsafe_load. +--- + lib/yaml/constructor.py | 24 ++++++++++++------------ + lib3/yaml/constructor.py | 24 ++++++++++++------------ + tests/lib/test_recursive.py | 2 +- + tests/lib3/test_recursive.py | 2 +- + 4 files changed, 26 insertions(+), 26 deletions(-) + +diff --git a/lib/yaml/constructor.py b/lib/yaml/constructor.py +index 794681cb..c42ee344 100644 +--- a/lib/yaml/constructor.py ++++ b/lib/yaml/constructor.py +@@ -722,18 +722,6 @@ def construct_python_object_new(self, suffix, node): + u'tag:yaml.org,2002:python/name:', + FullConstructor.construct_python_name) + +-FullConstructor.add_multi_constructor( +- u'tag:yaml.org,2002:python/module:', +- FullConstructor.construct_python_module) +- +-FullConstructor.add_multi_constructor( +- u'tag:yaml.org,2002:python/object:', +- FullConstructor.construct_python_object) +- +-FullConstructor.add_multi_constructor( +- u'tag:yaml.org,2002:python/object/new:', +- FullConstructor.construct_python_object_new) +- + class UnsafeConstructor(FullConstructor): + + def find_python_module(self, name, mark): +@@ -750,6 +738,18 @@ def set_python_instance_state(self, instance, state): + return super(UnsafeConstructor, self).set_python_instance_state( + instance, state, unsafe=True) + ++UnsafeConstructor.add_multi_constructor( ++ u'tag:yaml.org,2002:python/module:', ++ UnsafeConstructor.construct_python_module) ++ ++UnsafeConstructor.add_multi_constructor( ++ u'tag:yaml.org,2002:python/object:', ++ UnsafeConstructor.construct_python_object) ++ ++UnsafeConstructor.add_multi_constructor( ++ u'tag:yaml.org,2002:python/object/new:', ++ UnsafeConstructor.construct_python_object_new) ++ + UnsafeConstructor.add_multi_constructor( + u'tag:yaml.org,2002:python/object/apply:', + UnsafeConstructor.construct_python_object_apply) +diff --git a/lib3/yaml/constructor.py b/lib3/yaml/constructor.py +index 1948b125..619acd30 100644 +--- a/lib3/yaml/constructor.py ++++ b/lib3/yaml/constructor.py +@@ -710,18 +710,6 @@ def construct_python_object_new(self, suffix, node): + 'tag:yaml.org,2002:python/name:', + FullConstructor.construct_python_name) + +-FullConstructor.add_multi_constructor( +- 'tag:yaml.org,2002:python/module:', +- FullConstructor.construct_python_module) +- +-FullConstructor.add_multi_constructor( +- 'tag:yaml.org,2002:python/object:', +- FullConstructor.construct_python_object) +- +-FullConstructor.add_multi_constructor( +- 'tag:yaml.org,2002:python/object/new:', +- FullConstructor.construct_python_object_new) +- + class UnsafeConstructor(FullConstructor): + + def find_python_module(self, name, mark): +@@ -738,6 +726,18 @@ def set_python_instance_state(self, instance, state): + return super(UnsafeConstructor, self).set_python_instance_state( + instance, state, unsafe=True) + ++UnsafeConstructor.add_multi_constructor( ++ 'tag:yaml.org,2002:python/module:', ++ UnsafeConstructor.construct_python_module) ++ ++UnsafeConstructor.add_multi_constructor( ++ 'tag:yaml.org,2002:python/object:', ++ UnsafeConstructor.construct_python_object) ++ ++UnsafeConstructor.add_multi_constructor( ++ 'tag:yaml.org,2002:python/object/new:', ++ UnsafeConstructor.construct_python_object_new) ++ + UnsafeConstructor.add_multi_constructor( + 'tag:yaml.org,2002:python/object/apply:', + UnsafeConstructor.construct_python_object_apply) +diff --git a/tests/lib/test_recursive.py b/tests/lib/test_recursive.py +index 312204ea..04c57985 100644 +--- a/tests/lib/test_recursive.py ++++ b/tests/lib/test_recursive.py +@@ -30,7 +30,7 @@ def test_recursive(recursive_filename, verbose=False): + output2 = None + try: + output1 = yaml.dump(value1) +- value2 = yaml.load(output1, yaml.FullLoader) ++ value2 = yaml.load(output1, yaml.UnsafeLoader) + output2 = yaml.dump(value2) + assert output1 == output2, (output1, output2) + finally: +diff --git a/tests/lib3/test_recursive.py b/tests/lib3/test_recursive.py +index 74c2ee65..08042c81 100644 +--- a/tests/lib3/test_recursive.py ++++ b/tests/lib3/test_recursive.py +@@ -31,7 +31,7 @@ def test_recursive(recursive_filename, verbose=False): + output2 = None + try: + output1 = yaml.dump(value1) +- value2 = yaml.full_load(output1) ++ value2 = yaml.unsafe_load(output1) + output2 = yaml.dump(value2) + assert output1 == output2, (output1, output2) + finally: diff --git a/PyYAML.spec b/PyYAML.spec index e1ce75e..ed6144d 100644 --- a/PyYAML.spec +++ b/PyYAML.spec @@ -3,11 +3,12 @@ Name: pyyaml Version: 5.3.1 -Release: 3 +Release: 4 Summary: YAML parser and emitter for Python License: MIT URL: https://github.com/yaml/pyyaml Source0: https://github.com/yaml/pyyaml/archive/%{version}.tar.gz +Patch0000: CVE-2020-14343.patch BuildRequires: gcc libyaml-devel @@ -84,6 +85,7 @@ files to object serialization and persistence. %prep %setup -q -n %{name}-%{version} +%patch0000 -p1 %build %if %{with python2} @@ -124,6 +126,9 @@ files to object serialization and persistence. %endif %changelog +* Wed Jun 16 2021 zhaomengchao - 5.3.1-4 +- Fix CVE-2020-14343 + * Fri Sep 18 2020 liuweibo - 5.3.1-3 - Fix Source0 -- Gitee