From owner-svn-ports-head@freebsd.org Wed Apr 24 18:28:36 2019 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 714B315A0104; Wed, 24 Apr 2019 18:28:36 +0000 (UTC) (envelope-from joneum@FreeBSD.org) Received: from toco-domains.de (mail.toco-domains.de [IPv6:2a01:4f8:151:4202::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 104247384A; Wed, 24 Apr 2019 18:28:36 +0000 (UTC) (envelope-from joneum@FreeBSD.org) Received: by toco-domains.de (Postfix, from userid 65534) id C28E4131C4; Wed, 24 Apr 2019 20:28:32 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on toco-mail X-Spam-Level: X-Spam-Status: No, score=-2.9 required=4.0 tests=ALL_TRUSTED,BAYES_00, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from phantomias.home.jochen-neumeister.de (p5B0FD365.dip0.t-ipconnect.de [91.15.211.101]) by toco-domains.de (Postfix) with ESMTPA id D9669131B3; Wed, 24 Apr 2019 20:28:27 +0200 (CEST) Subject: Re: svn commit: r499855 - head/security/vuxml To: Josh Paetzel , ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org References: <201904241530.x3OFUeUg008218@repo.freebsd.org> From: Jochen Neumeister Message-ID: Date: Wed, 24 Apr 2019 20:28:27 +0200 MIME-Version: 1.0 In-Reply-To: <201904241530.x3OFUeUg008218@repo.freebsd.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: de-DE X-Rspamd-Queue-Id: 104247384A X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.98 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.98)[-0.976,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Apr 2019 18:28:36 -0000 On 24.04.19 17:30, Josh Paetzel wrote: > Author: jpaetzel > Date: Wed Apr 24 15:30:40 2019 > New Revision: 499855 > URL: https://svnweb.freebsd.org/changeset/ports/499855 > > Log: > Document py-yaml vulnerability > > PR: 237501 > Submitted by: sergey@akhmatov.ru > Security: CVE-2017-18342 Where is: Security: f6ea18bb-65b9-11e9-8b31-002590045d9c MFH: 2019Q2 Greetings > > Modified: > head/security/vuxml/vuln.xml > > Modified: head/security/vuxml/vuln.xml > ============================================================================== > --- head/security/vuxml/vuln.xml Wed Apr 24 15:13:52 2019 (r499854) > +++ head/security/vuxml/vuln.xml Wed Apr 24 15:30:40 2019 (r499855) > @@ -58,6 +58,37 @@ Notes: > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > > + > + py-yaml -- arbitrary code execution > + > + > + py27-yaml > + py35-yaml > + py36-yaml > + py37-yaml > + 4.1 > + > + > + > + > +

pyyaml reports:

> +

> +
the PyYAML.load function could be easily exploited to call any Python > + function. That means it could call any system command using os.system()
> +

> + > + > + > + CVE-2017-18342 > + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342 > + https://github.com/yaml/pyyaml/pull/74 > + > + > + 2018-06-27 > + 2019-04-23 > + > + > + > > FreeBSD -- EAP-pwd message reassembly issue with unexpected fragment > >