[Openstack-security] [Bug 1586079] Re: YaqlYamlLoader inherits from YamlLoader
OpenStack Infra
1586079 at bugs.launchpad.net
Thu Jun 23 16:50:24 UTC 2016
Reviewed: https://review.openstack.org/333428
Committed: https://git.openstack.org/cgit/openstack/murano-dashboard/commit/?id=66ef3d71941c4bd672d1e8e37d8f7b199acd5462
Submitter: Jenkins
Branch: master
commit 66ef3d71941c4bd672d1e8e37d8f7b199acd5462
Author: Kirill Zaitsev <kzaitsev at mirantis.com>
Date: Fri May 27 00:11:28 2016 +0300
Inherit custom yaml Loader from yaml.SafeLoader
Before this patch yaql-enabled yaml Loader was inherited from yaml.Loader, that
potentially allows creating arbitrary python objects from specifically
formatted yaml tags. This could have happened whenever UI definitions of
the package were processed.
With this change yaql yaml-Loader no longer allows creating custom python objects.
Change-Id: I4fe38aa7e0fc567211ab872c7e1f8e81dbc3e765
Closes-Bug: #1586079
** Changed in: murano
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1586079
Title:
YaqlYamlLoader inherits from YamlLoader
Status in Murano:
Fix Released
Status in Murano kilo series:
Won't Fix
Status in Murano liberty series:
In Progress
Status in Murano mitaka series:
In Progress
Status in Murano newton series:
Fix Released
Bug description:
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
-------------------------------------------------------------------------
YaqlYamlLoader inherits from YamlLoader, meaning that it is possible
to use extended unsafe tags in yaml files
http://pyyaml.org/wiki/PyYAMLDocumentation#YAMLtagsandPythontypes
Both dashboard, engine/api seem to be vulnerable.
To manage notifications about this bug go to:
https://bugs.launchpad.net/murano/+bug/1586079/+subscriptions
More information about the Openstack-security
mailing list