From b6f0d515058e6a6f58731382d3fc47fb842e8183 Mon Sep 17 00:00:00 2001
From: rcmcronny <rcmcronny@users.noreply.github.com>
Date: Tue, 28 May 2019 15:18:12 +0200
Subject: [PATCH] change "yaml.load" to better "yaml.safe_load"

https://bugs.gentoo.org/659348

It is reported that in PyYAML before 4.1, usage of yaml.load() function on untrusted input could lead to arbitrary code execution. It is therefore recommended to use yaml.safe_load() instead. With 4.1, yaml.load() has been changed to call safe_load().

* Report:          http://seclists.org/oss-sec/2018/q2/240
* Upstream change: https://github.com/yaml/pyyaml/pull/74
* CVE:             pending

--

Gentoo Security Scout
Vladimir Krstulja
---
 dmarchiver.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dmarchiver.py b/dmarchiver.py
index 3f984ed..2cb6d61 100755
--- a/dmarchiver.py
+++ b/dmarchiver.py
@@ -34,7 +34,7 @@
 
 try:
 	with open(config, 'r') as ymlfile:
-		cfg = yaml.load(ymlfile)
+		cfg = yaml.safe_load(ymlfile)
 
 		imap_host       = cfg['imap']['imap_host']
 		imap_port       = cfg['imap']['imap_port']