From owner-svn-ports-head@freebsd.org Wed Apr 24 18:33:12 2019 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D182015A03DA; Wed, 24 Apr 2019 18:33:11 +0000 (UTC) (envelope-from joneum@FreeBSD.org) Received: from toco-domains.de (mail.toco-domains.de [IPv6:2a01:4f8:151:4202::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 651A673D14; Wed, 24 Apr 2019 18:33:11 +0000 (UTC) (envelope-from joneum@FreeBSD.org) Received: by toco-domains.de (Postfix, from userid 65534) id 62BC11322A; Wed, 24 Apr 2019 20:33:10 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on toco-mail X-Spam-Level: X-Spam-Status: No, score=-2.9 required=4.0 tests=ALL_TRUSTED,BAYES_00, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from phantomias.home.jochen-neumeister.de (p5B0FD365.dip0.t-ipconnect.de [91.15.211.101]) by toco-domains.de (Postfix) with ESMTPA id 7A51A13220; Wed, 24 Apr 2019 20:33:04 +0200 (CEST) Subject: Re: svn commit: r499855 - head/security/vuxml From: Jochen Neumeister To: Josh Paetzel , ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org References: <201904241530.x3OFUeUg008218@repo.freebsd.org> Message-ID: Date: Wed, 24 Apr 2019 20:33:04 +0200 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: de-DE X-Rspamd-Queue-Id: 651A673D14 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.98 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.98)[-0.976,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Apr 2019 18:33:12 -0000 On 24.04.19 20:28, Jochen Neumeister wrote: > > On 24.04.19 17:30, Josh Paetzel wrote: >> Author: jpaetzel >> Date: Wed Apr 24 15:30:40 2019 >> New Revision: 499855 >> URL: https://svnweb.freebsd.org/changeset/ports/499855 >> >> Log: >> Document py-yaml vulnerability >> PR: 237501 >> Submitted by: sergey@akhmatov.ru >> Security: CVE-2017-18342 > > > Where is: > > Security: f6ea18bb-65b9-11e9-8b31-002590045d9c > MFH: 2019Q2 > > > Greetings Wrong Mail. I mean this commit: https://svnweb.freebsd.org/changeset/ports/499857 Pls commit it to MFH2019Q2 with my Approved Greetings > > >> >> Modified: >> head/security/vuxml/vuln.xml >> >> Modified: head/security/vuxml/vuln.xml >> ============================================================================== >> >> --- head/security/vuxml/vuln.xml Wed Apr 24 15:13:52 2019 (r499854) >> +++ head/security/vuxml/vuln.xml Wed Apr 24 15:30:40 2019 (r499855) >> @@ -58,6 +58,37 @@ Notes: >> * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) >> --> >> >> + >> + py-yaml -- arbitrary code execution >> + >> + >> + py27-yaml >> + py35-yaml >> + py36-yaml >> + py37-yaml >> + 4.1 >> + >> + >> + >> + >> +

pyyaml reports:

>> +

> cite="https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation"> >> +
the PyYAML.load function could be easily exploited to call >> any Python >> +    function. That means it could call any system command using >> os.system()
>> +

>> + >> + >> + >> + CVE-2017-18342 >> + >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342 >> + https://github.com/yaml/pyyaml/pull/74 >> + >> + >> + 2018-06-27 >> + 2019-04-23 >> + >> + >> + >> >> FreeBSD -- EAP-pwd message reassembly issue with >> unexpected fragment >> >> >