View Issue Details

IDProjectCategoryView StatusLast Update
0017590CentOS-8PyYAMLpublic2020-07-14 00:06
Reportertylarb Assigned To 
Status newResolutionopen 
Product Version8.2.2004 
Summary0017590: PyYAML shipped in Centos8 is susceptible to CVE-2017-18342
DescriptionThe version of PyYAML shipped with Centos 8 is based off of PyYAML 3.12, and is succeptable to CVE-2017-18342

I expected that the patch marking yaml.load deprecated would be applied here.
See here for details:
Steps To Reproduceyum install python3-pyyaml

[root@5437a2df8784 /]# python3
Python 3.6.8 (default, Nov 21 2019, 19:31:34)
[GCC 8.3.1 20190507 (Red Hat 8.3.1-4)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import yaml
>>> print(yaml.__version__)
>>> yaml.load("!!python/object/new:os.system [echo EXPLOIT!]")
Additional InformationIt looks like the CVE has been fixed in Fedora, as noted in this bugzilla:


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2020-07-14 00:06 tylarb New Issue
2020-07-14 00:06 tylarb Tag Attached: security