Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pyyaml security vulnerability #478

Closed
1fish2 opened this issue Mar 23, 2019 · 0 comments · Fixed by #528
Closed

pyyaml security vulnerability #478

1fish2 opened this issue Mar 23, 2019 · 0 comments · Fixed by #528
Assignees
@1fish2
Labels
security security vulnerabilities

Comments

@1fish2
Copy link
Contributor

1fish2 commented Mar 23, 2019

GitHub warns @eagmon of security vulnerabilities in 2 packages we're using. (Why doesn't it show this warning to me???)
Screen Shot 2019-03-22 at 9 32 06 PM

pyyaml does not seem to have any release notes or docs on how to handle this vulnerability! One has to dig through their "closed" issues and wiki to learn about this. In short, yaml.load() can run arbitrary Python code. Their wiki says this vulnerability goes back to their first release, it's documented, and they aren't going to break compatibility by making yaml.load() safe.

Release 5.1 doesn't really fix the vulnerability other than print a deprecation warning from yaml.load().

yaml/pyyaml#243
yaml/pyyaml#193
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation

/usr/local/var/pyenv/versions/wcEcoli2/lib/python2.7/site-packages $ grep 'Requires.*yaml' */METADATA
FireWorks-1.8.7.dist-info/METADATA:Requires-Dist: ruamel.yaml (>=0.15.35)
monty-1.0.3.dist-info/METADATA:Requires-Dist: ruamel.yaml; extra == 'yaml'
ruamel.yaml-0.15.43.dist-info/METADATA:Requires-Dist: ruamel.yaml.jinja2 (>=0.2); extra == 'jinja2'

We should:

  • switch from calling yaml.load() to yaml.safe_load() to ensure it can't run arbitrary Python code (we use it to load yaml files from Ecocyc, so this does matter)
  • update pyyaml from 3.13 to 5.1 -- mainly to avoid GitHub's security alert; the update doesn't do a lot for security
  • figure out whether Fireworks, ruamel.yaml, and monty pips that call yaml can update to v5.1 of pyyaml
  • figure out which of those pips have incompatible changes
  • and test.
@1fish2 1fish2 added the security security vulnerabilities label Mar 23, 2019
@1fish2 1fish2 mentioned this issue Mar 23, 2019
Closed
@1fish2 1fish2 self-assigned this Apr 26, 2019
1fish2 added a commit that referenced this issue Apr 27, 2019
@1fish2
security fixes and python 2.7.16 bug-fix update
2187021 
* Fix #525: Update to python 2.7.16 which fixes a bunch of potential crashes, also updating to match the Dockerfile.
* Fix #511 update `urllib3` from 1.23 to 1.24.2 (not to 1.25.1 which is incompatible with this version of requests). https://nvd.nist.gov/vuln/detail/CVE-2019-11324
* Fix #527 update `Jinja2` from 2.10 to 2.10.1. https://nvd.nist.gov/vuln/detail/CVE-2019-10906
* Fix #478 update `pyyaml` from 3.13 to 5.1, which deprecates `yaml.load()` but doesn't actually fix the vulnerability. It looks like they tried to close the execute-arbitrary-code vulnerability in 4.0 but reverted the incompatibility. Still, this update should appease GitHub's security scanner. Change our code to call `yaml.safe_load()` instead of `yaml.load()`, although I think we're calling `ruamel.yaml`. https://nvd.nist.gov/vuln/detail/CVE-2017-18342
* Fix #479 `requests` from 2.19.1 to 2.21.0. It's used by FireWorks, bokeh, confluent_kafka, and ipython. https://nvd.nist.gov/vuln/detail/CVE-2018-18074
* Update `ruamel.yaml` from 0.15.43 to 0.15.94. That's 51 new bug fix releases! Clearly YAML is over-complicated.
* Update NumPy from 1.14.5 to 1.14.6 for a thread safety bug fix. (Releases 1.15 & 1.16 are substantial changes, and 1.17 will drop support for Python 2.7.)
* Add the `typing` and `mypy` pips while we're updating pyenvs. We'll need these when we start adding static type checking.
@1fish2 1fish2 mentioned this issue Apr 27, 2019
Merged
1fish2 added a commit that referenced this issue May 1, 2019
@1fish2
Security fixes and python 2.7.16 bug-fix update (#528)
304aedc 
* Fix #525: Update to python 2.7.16 which fixes a bunch of potential crashes, also updating to match the Dockerfile.
* Fix #511 update `urllib3` from 1.23 to 1.24.2 (not to 1.25.1 which is incompatible with this version of requests). https://nvd.nist.gov/vuln/detail/CVE-2019-11324
* Fix #527 update `Jinja2` from 2.10 to 2.10.1. https://nvd.nist.gov/vuln/detail/CVE-2019-10906
* Fix #478 update `pyyaml` from 3.13 to 5.1, which deprecates `yaml.load()` but doesn't actually fix the vulnerability. It looks like they tried to close the execute-arbitrary-code vulnerability in 4.0 but reverted the incompatibility. Still, this update should appease GitHub's security scanner. Change our code to call `yaml.safe_load()` instead of `yaml.load()`, although I think we're calling `ruamel.yaml`. https://nvd.nist.gov/vuln/detail/CVE-2017-18342
* Fix #479 `requests` from 2.19.1 to 2.21.0. It's used by FireWorks, bokeh, confluent_kafka, and ipython. https://nvd.nist.gov/vuln/detail/CVE-2018-18074
* Update `ruamel.yaml` from 0.15.43 to 0.15.94. That's 51 new bug fix releases! Clearly YAML is over-complicated.
* Update NumPy from 1.14.5 to 1.14.6 for a thread safety bug fix. (Releases 1.15 & 1.16 are substantial changes, and 1.17 will drop support for Python 2.7.)
* Add the `typing` and `mypy` pips while we're updating pyenvs. We'll need these when we start adding static type checking.

## Soon I'll delete and recreate the `wcEcoli2` pyenv.
## Please update the `wcEcoli2` pyenv on your local machines.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@1fish2 1fish2

Labels
security security vulnerabilities
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Security fixes and python 2.7.16 bug-fix update CovertLab/wcEcoli
1 participant
@1fish2