Testsuite is using yaml.load CVE-2017-18342 #191

atupone · 2019-06-09T12:20:07Z

In PyYAML before 4.1, the yaml.load() API could execute arbitrary code. In other words, yaml.safe_load is not used.
I don't know the status after 4.1, however in gentoo with pyyaml 5.1 I cannot run test for the yaml.load() use

pmderodat · 2019-06-10T14:59:00Z

Hello @atupone

Thank you for raising this issue. The testsuite should work with .safe_load: we’ll test this option and will update our Python codebase accordingly.

For GitHub issue AdaCore#191

For GitHub issue AdaCore/langkit#191

For GitHub issue #191

pmderodat · 2019-06-10T15:24:41Z

This is now fixed. Thanks again for reporting this!

pmderodat added a commit to pmderodat/langkit that referenced this issue Jun 10, 2019

testsuite/polyfill: use yaml.safe_load instead of yaml.load

21100df

For GitHub issue AdaCore#191

pmderodat added a commit to pmderodat/libadalang that referenced this issue Jun 10, 2019

testsuite/polyfill: use yaml.safe_load instead of yaml.load

9bf4de4

For GitHub issue AdaCore/langkit#191

pmderodat added a commit to AdaCore/libadalang that referenced this issue Jun 10, 2019

testsuite/polyfill: use yaml.safe_load instead of yaml.load

ca5603b

For GitHub issue AdaCore/langkit#191

pmderodat added a commit that referenced this issue Jun 10, 2019

testsuite/polyfill: use yaml.safe_load instead of yaml.load

a62a774

For GitHub issue #191

pmderodat closed this as completed Jun 10, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Testsuite is using yaml.load CVE-2017-18342 #191

Testsuite is using yaml.load CVE-2017-18342 #191

atupone commented Jun 9, 2019

pmderodat commented Jun 10, 2019

pmderodat commented Jun 10, 2019

Testsuite is using yaml.load CVE-2017-18342 #191

Testsuite is using yaml.load CVE-2017-18342 #191

Comments

atupone commented Jun 9, 2019

pmderodat commented Jun 10, 2019

pmderodat commented Jun 10, 2019