diff --git a/5.3.1.tar.gz b/5.3.1.tar.gz deleted file mode 100644 index 66f30f9..0000000 Binary files a/5.3.1.tar.gz and /dev/null differ diff --git a/CVE-2020-14343.patch b/CVE-2020-14343.patch deleted file mode 100644 index 214639d..0000000 --- a/CVE-2020-14343.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 7adc0db3f613a82669f2b168edd98379b83adb3c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ingy=20d=C3=B6t=20Net?= -Date: Sat, 9 Jan 2021 10:53:23 -0500 -Subject: [PATCH] Fix for CVE-2020-14343 - -Per suggestion https://github.com/yaml/pyyaml/issues/420#issuecomment-663888344 -move a few constructors from full_load to unsafe_load. ---- - lib/yaml/constructor.py | 24 ++++++++++++------------ - lib3/yaml/constructor.py | 24 ++++++++++++------------ - tests/lib/test_recursive.py | 2 +- - tests/lib3/test_recursive.py | 2 +- - 4 files changed, 26 insertions(+), 26 deletions(-) - -diff --git a/lib/yaml/constructor.py b/lib/yaml/constructor.py -index 794681cb..c42ee344 100644 ---- a/lib/yaml/constructor.py -+++ b/lib/yaml/constructor.py -@@ -722,18 +722,6 @@ def construct_python_object_new(self, suffix, node): - u'tag:yaml.org,2002:python/name:', - FullConstructor.construct_python_name) - --FullConstructor.add_multi_constructor( -- u'tag:yaml.org,2002:python/module:', -- FullConstructor.construct_python_module) -- --FullConstructor.add_multi_constructor( -- u'tag:yaml.org,2002:python/object:', -- FullConstructor.construct_python_object) -- --FullConstructor.add_multi_constructor( -- u'tag:yaml.org,2002:python/object/new:', -- FullConstructor.construct_python_object_new) -- - class UnsafeConstructor(FullConstructor): - - def find_python_module(self, name, mark): -@@ -750,6 +738,18 @@ def set_python_instance_state(self, instance, state): - return super(UnsafeConstructor, self).set_python_instance_state( - instance, state, unsafe=True) - -+UnsafeConstructor.add_multi_constructor( -+ u'tag:yaml.org,2002:python/module:', -+ UnsafeConstructor.construct_python_module) -+ -+UnsafeConstructor.add_multi_constructor( -+ u'tag:yaml.org,2002:python/object:', -+ UnsafeConstructor.construct_python_object) -+ -+UnsafeConstructor.add_multi_constructor( -+ u'tag:yaml.org,2002:python/object/new:', -+ UnsafeConstructor.construct_python_object_new) -+ - UnsafeConstructor.add_multi_constructor( - u'tag:yaml.org,2002:python/object/apply:', - UnsafeConstructor.construct_python_object_apply) -diff --git a/lib3/yaml/constructor.py b/lib3/yaml/constructor.py -index 1948b125..619acd30 100644 ---- a/lib3/yaml/constructor.py -+++ b/lib3/yaml/constructor.py -@@ -710,18 +710,6 @@ def construct_python_object_new(self, suffix, node): - 'tag:yaml.org,2002:python/name:', - FullConstructor.construct_python_name) - --FullConstructor.add_multi_constructor( -- 'tag:yaml.org,2002:python/module:', -- FullConstructor.construct_python_module) -- --FullConstructor.add_multi_constructor( -- 'tag:yaml.org,2002:python/object:', -- FullConstructor.construct_python_object) -- --FullConstructor.add_multi_constructor( -- 'tag:yaml.org,2002:python/object/new:', -- FullConstructor.construct_python_object_new) -- - class UnsafeConstructor(FullConstructor): - - def find_python_module(self, name, mark): -@@ -738,6 +726,18 @@ def set_python_instance_state(self, instance, state): - return super(UnsafeConstructor, self).set_python_instance_state( - instance, state, unsafe=True) - -+UnsafeConstructor.add_multi_constructor( -+ 'tag:yaml.org,2002:python/module:', -+ UnsafeConstructor.construct_python_module) -+ -+UnsafeConstructor.add_multi_constructor( -+ 'tag:yaml.org,2002:python/object:', -+ UnsafeConstructor.construct_python_object) -+ -+UnsafeConstructor.add_multi_constructor( -+ 'tag:yaml.org,2002:python/object/new:', -+ UnsafeConstructor.construct_python_object_new) -+ - UnsafeConstructor.add_multi_constructor( - 'tag:yaml.org,2002:python/object/apply:', - UnsafeConstructor.construct_python_object_apply) -diff --git a/tests/lib/test_recursive.py b/tests/lib/test_recursive.py -index 312204ea..04c57985 100644 ---- a/tests/lib/test_recursive.py -+++ b/tests/lib/test_recursive.py -@@ -30,7 +30,7 @@ def test_recursive(recursive_filename, verbose=False): - output2 = None - try: - output1 = yaml.dump(value1) -- value2 = yaml.load(output1, yaml.FullLoader) -+ value2 = yaml.load(output1, yaml.UnsafeLoader) - output2 = yaml.dump(value2) - assert output1 == output2, (output1, output2) - finally: -diff --git a/tests/lib3/test_recursive.py b/tests/lib3/test_recursive.py -index 74c2ee65..08042c81 100644 ---- a/tests/lib3/test_recursive.py -+++ b/tests/lib3/test_recursive.py -@@ -31,7 +31,7 @@ def test_recursive(recursive_filename, verbose=False): - output2 = None - try: - output1 = yaml.dump(value1) -- value2 = yaml.full_load(output1) -+ value2 = yaml.unsafe_load(output1) - output2 = yaml.dump(value2) - assert output1 == output2, (output1, output2) - finally: diff --git a/PyYAML-5.4.1.tar.gz b/PyYAML-5.4.1.tar.gz new file mode 100644 index 0000000..187c66e Binary files /dev/null and b/PyYAML-5.4.1.tar.gz differ diff --git a/PyYAML.spec b/PyYAML.spec index b1b5654..46e3611 100644 --- a/PyYAML.spec +++ b/PyYAML.spec @@ -2,13 +2,12 @@ %bcond_without python3 Name: pyyaml -Version: 5.3.1 -Release: 4 +Version: 5.4.1 +Release: 1 Summary: YAML parser and emitter for Python License: MIT URL: https://github.com/yaml/pyyaml -Source0: https://github.com/yaml/pyyaml/archive/%{version}.tar.gz -Patch0000: CVE-2020-14343.patch +Source0: https://files.pythonhosted.org/packages/source/P/PyYAML/PyYAML-%{version}.tar.gz BuildRequires: gcc libyaml-devel @@ -56,8 +55,7 @@ files to object serialization and persistence. %endif %prep -%setup -q -n %{name}-%{version} -%patch0000 -p1 +%setup -q -n PyYAML-%{version} %build %if %{with python3} @@ -83,6 +81,9 @@ files to object serialization and persistence. %endif %changelog +* Tue Jul 13 2021 huangtianhua - 5.4.1-1 +- Upgrade to 5.4.1 + * Fri Jun 11 2021 zhaomengchao - 5.3.1-4 * Fix CVE-2020-14343