From 5a2651f0d3624a857d0e27f1cdef539fcbef6cb4 Mon Sep 17 00:00:00 2001 From: David Toman Date: Sat, 19 Oct 2019 21:58:55 +0200 Subject: [PATCH] Update controller.py It is reported that in PyYAML before 4.1, usage of yaml.load() function on untrusted input could lead to arbitrary code execution. It is therefore recommended to use yaml.safe_load() instead. With 4.1, yaml.load() has been changed to call safe_load(). * Report: http://seclists.org/oss-sec/2018/q2/240 * Upstream change: https://github.com/yaml/pyyaml/pull/74 * CVE: pending -- Gentoo Security Scout Vladimir Krstulja --- amdgpu_fan/controller.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/amdgpu_fan/controller.py b/amdgpu_fan/controller.py index 8076b24..7c46b92 100644 --- a/amdgpu_fan/controller.py +++ b/amdgpu_fan/controller.py @@ -41,7 +41,7 @@ def main(self): def load_config(path): logger.debug(f'loading config from {path}') with open(path) as f: - return yaml.load(f) + return yaml.safe_load(f) def main():