CVE-2017-18342 Breaks beets

[lovesegfault]

Problem

CVE-2017-18342, related to YAML parsing in Python, breaks beets on Gentoo. There are two related downstream bugs 1, 2.

Running this command in verbose (-vv) mode:

$ beet -vv update

Led to this problem:

user configuration: /home/bemeurer/.config/beets/config.yaml
data directory: /home/bemeurer/.config/beets
plugin paths:
Sending event: pluginload
artresizer: method is (2, (7, 0, 8))
thumbnails: using IM to write metadata
thumbnails: using GIO to compute URIs
Traceback (most recent call last):
  File "/usr/lib/python-exec/python3.6/beet", line 11, in <module>
    load_entry_point('beets==1.4.7', 'console_scripts', 'beet')()
  File "/usr/lib64/python3.6/site-packages/beets/ui/__init__.py", line 1256, in main
    _raw_main(args)
  File "/usr/lib64/python3.6/site-packages/beets/ui/__init__.py", line 1239, in _raw_main
    subcommands, plugins, lib = _setup(options, lib)
  File "/usr/lib64/python3.6/site-packages/beets/ui/__init__.py", line 1130, in _setup
    plugins = _load_plugins(config)
  File "/usr/lib64/python3.6/site-packages/beets/ui/__init__.py", line 1116, in _load_plugins
    plugins.send("pluginload")
  File "/usr/lib64/python3.6/site-packages/beets/plugins.py", line 475, in send
    for handler in event_handlers()[event]:
  File "/usr/lib64/python3.6/site-packages/beets/plugins.py", line 458, in event_handlers
    for plugin in find_plugins():
  File "/usr/lib64/python3.6/site-packages/beets/plugins.py", line 304, in find_plugins
    _instances[cls] = cls()
  File "/usr/lib64/python3.6/site-packages/beetsplug/lastgenre/__init__.py", line 115, in __init__
    self.setup()
  File "/usr/lib64/python3.6/site-packages/beetsplug/lastgenre/__init__.py", line 146, in setup
    genres_tree = yaml.load(f)
  File "/usr/lib64/python3.6/site-packages/yaml/__init__.py", line 109, in load
    raise RuntimeError("Unsafe load() call disabled by Gentoo. See bug #659348")
RuntimeError: Unsafe load() call disabled by Gentoo. See bug #659348

Setup

• OS: Gentoo
• Python version: 3.6.8
• beets version: 1.4.7
• Turning off plugins made problem go away (yes/no): no

[sbraz]

This was fixed in be12a89, we just need to backport this.

[sbraz]

Removed more unsafe calls in #3225

[arcresu]

Thanks for letting us know about this! Now that we've removed the remaining unsafe YAML calls, I guess all that we can do is push out a new release of beets for packaging.

@sampsyo I'm not sure what your plans are in terms of work that should be wrapped up before releasing, but maybe this issue is a good motivation to make that happen sooner rather than later :)

[sampsyo]

Indeed; thank you, @sbraz, for bringing this to our attention (and for the quick PR work). And yes, @arcresu, as if the impetus wasn't already there, we should really push this out as soon as possible. I'd like to do the bulk of the work today…