Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update PyYAML to >= 5.4 for CVE-2020-14343 #68

Closed
adveres opened this issue Apr 9, 2021 · 3 comments
Closed

Update PyYAML to >= 5.4 for CVE-2020-14343 #68

adveres opened this issue Apr 9, 2021 · 3 comments
Labels
answered

Comments

@adveres
Copy link

adveres commented Apr 9, 2021

Hello! I'm encountering a security failure for pipenv check using one of these base images.

Issue

  • IMAGE: tiangolo/uvicorn-gunicorn:python3.8-slim-2020-12-19
  • CVE-2020-14343
#9 11.44 Checking PEP 508 requirements...
#9 11.49 Passed!
#9 11.49 Checking installed package safety...
#9 13.31 39611: pyyaml <5.4 resolved (5.3.1 installed)!
#9 13.31 A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747. See CVE-2020-14343.

Reproduce

Simple Dockerfile:

FROM tiangolo/uvicorn-gunicorn:python3.8-slim-2020-12-19 as base
RUN pip freeze \
    && pip install pipenv \
    && pipenv check
docker build .

..........

#6 [base 2/2] RUN pip freeze
#6 sha256:e76efe7bb1013b8ea339937c42cd3938acaff5f50fc90d629df2396671b97ca4
#6 0.553 click==7.1.2
#6 0.553 gunicorn==20.0.4
#6 0.553 h11==0.11.0
#6 0.553 httptools==0.1.1
#6 0.553 python-dotenv==0.15.0
#6 0.553 PyYAML==5.3.1
#6 0.553 uvicorn==0.13.1
#6 0.553 uvloop==0.14.0
#6 0.553 watchgod==0.6
#6 0.553 websockets==8.1
#6 DONE 0.6s

Where PyYAML==5.3.1 must be updated.

Gist

https://gist.github.com/adveres/a1ddf55cd4491907431ae5f062ca38f2
@adveres adveres mentioned this issue Apr 9, 2021
Closed
@adveres
Copy link
Author

adveres commented Apr 12, 2021

This actually appears to come from the standard uvicorn install (https://www.uvicorn.org/#quickstart), ex pip install uvicorn[standard] in the dockerfile. So probably uvicorn itself needs to update its dependency?

@tiangolo
Copy link
Owner

There have been some releases since this was posted, could you check again and confirm it's solved?

Sorry for the long delay! 🙈 I wanted to personally address each issue/PR and they piled up through time, but now I'm checking each one in order.

@github-actions
Copy link

github-actions bot commented Dec 8, 2022

Assuming the original issue was solved, it will be automatically closed now. But feel free to add more comments or create new issues.

@github-actions github-actions bot closed this as completed Dec 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
answered
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adveres @tiangolo