Address RVD#2401 (#170)

Our team at @aliasrobotics identified and reported in RVD#2401 the use of unsafe yaml load (aliasrobotics/RVD#2401). After triaging the flaw we detected that it was exploitable and could lead to local (or remote, based on certain common user interaction) code execution. Specifically, the flaw itself is caused by an unsafe parsing of YAML values which happens whenever an action message is processed to be sent, and allows for the creation of Python objects. Through this flaw in ROS, an attacker could build a malicious payload and execute arbitrary code in Python. A PoC is available but have decided not to disclose it for now and until this is mitigated and debs are available. Peer-researched and coded with @ibaiape.
ros · Aug 21, 2020 · 07887cb · 07887cb
1 parent c89e440
commit 07887cb
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/tools/library.py b/tools/library.py
@@ -95,7 +95,7 @@ def yaml_msg_str(type_, yaml_str, filename=None):
     if yaml_str.strip() == '':
         msg_dict = {}
     else:
-        msg_dict = yaml.load(yaml_str)
+        msg_dict = yaml.safe_load(yaml_str)
     if not isinstance(msg_dict, dict):
         if filename:
             raise ValueError("yaml file [%s] does not contain a dictionary" % filename)
@@ -129,7 +129,7 @@ def yaml_msgs_str(type_, yaml_str, filename=None):
     @type  filename: str
     """
     import yaml
-    yaml_doc = yaml.load(yaml_str)
+    yaml_doc = yaml.safe_load(yaml_str)
     msgs = []
     for msg_dict in yaml_doc:
         if not isinstance(msg_dict, dict):