[Openstack-security] [Bug 1586078] Re: YaqlYamlLoader inherits from YamlLoader

OpenStack Infra 1586078 at bugs.launchpad.net
Thu Jun 23 17:45:51 UTC 2016 

Reviewed:  https://review.openstack.org/333444
Committed: https://git.openstack.org/cgit/openstack/python-muranoclient/commit/?id=b1e8a1753ccc3faf06840f675403645311ac9d79
Submitter: Jenkins
Branch:    stable/liberty

commit b1e8a1753ccc3faf06840f675403645311ac9d79
Author: Kirill Zaitsev <kzaitsev at mirantis.com>
Date:   Fri May 27 01:04:31 2016 +0300

    Use yaml.SafeLoader instead of yaml.Loader
    
    Before this patch yaml.Loader was used by the client to create custom
    yaql-enabled yaml loader. It is unsfae do to so, because yaml.Loader is
    capable of creating custom python objects from specifically constructed
    yaml files.
    UI parsing functions also fell back to yaml.Loader if
    the custom loader was not supplied.
    After this patch all yaml load operations are performed with safe
    loaders instead.
    
    Change-Id: Id9bb6eabda35522271ec394f8758a974878cbb4b
    Closes-Bug: #1586078


** Changed in: python-muranoclient/liberty
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1586078

Title:
  YaqlYamlLoader inherits from YamlLoader

Status in python-muranoclient:
  Fix Released
Status in python-muranoclient kilo series:
  Won't Fix
Status in python-muranoclient liberty series:
  Fix Committed
Status in python-muranoclient mitaka series:
  Fix Committed
Status in python-muranoclient newton series:
  Fix Released

Bug description:
  This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
  -------------------------------------------------------------------------

  YaqlYamlLoader inherits from YamlLoader, meaning that it is possible
  to use extended unsafe tags in yaml files
  http://pyyaml.org/wiki/PyYAMLDocumentation#YAMLtagsandPythontypes

To manage notifications about this bug go to:
https://bugs.launchpad.net/python-muranoclient/+bug/1586078/+subscriptions

More information about the Openstack-security mailing list