diff options
author | 2019-05-11 12:11:28 -0400 | |
---|---|---|
committer | 2019-05-11 12:16:51 -0400 | |
commit | 004c4079cde46b2a793a4bb7b02d1d939e59aff4 (patch) | |
tree | f6928fd7ef6140a9d56ba0b88f3cbfe5d8f41c79 /app-misc/lirc/files | |
parent | dev-python/pytest: bump to 4.4.2 (diff) | |
download | gentoo-004c4079cde46b2a793a4bb7b02d1d939e59aff4.tar.gz gentoo-004c4079cde46b2a793a4bb7b02d1d939e59aff4.tar.bz2 gentoo-004c4079cde46b2a793a4bb7b02d1d939e59aff4.zip |
app-misc/lirc: Use pyyaml safe_load instead of load
See upstream report at
https://sourceforge.net/p/lirc/git/merge-requests/39/
Bug: https://bugs.gentoo.org/682922
Package-Manager: Portage-2.3.66, Repoman-2.3.12
Signed-off-by: Craig Andrews <candrews@gentoo.org>
Diffstat (limited to 'app-misc/lirc/files')
-rw-r--r-- | app-misc/lirc/files/lirc-0.10.1-unsafe-load.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/app-misc/lirc/files/lirc-0.10.1-unsafe-load.patch b/app-misc/lirc/files/lirc-0.10.1-unsafe-load.patch new file mode 100644 index 000000000000..7758ebb6e899 --- /dev/null +++ b/app-misc/lirc/files/lirc-0.10.1-unsafe-load.patch @@ -0,0 +1,52 @@ +https://sourceforge.net/p/lirc/git/merge-requests/39/ + +commit 8fab503abb3fdababb1875fdc2373afe8534770e +Author: Craig Andrews <candrews@integralblue.com> +Date: Sat May 11 11:39:44 2019 -0400 + + Use pyyaml safe_load instead of load + + Using load on untrusted user input could lead to arbitrary code execution. + Therefore, upstream has disabled load, requiring the use of either + safe_load or full_load + See https://github.com/yaml/pyyaml/issues/265 + +diff --git a/python-pkg/lirc/database.py b/python-pkg/lirc/database.py +index d464c2ab..bd567181 100644 +--- a/python-pkg/lirc/database.py ++++ b/python-pkg/lirc/database.py +@@ -66,7 +66,7 @@ def _load_kerneldrivers(configdir): + ''' + + with open(os.path.join(configdir, "kernel-drivers.yaml")) as f: +- cf = yaml.load(f.read()) ++ cf = yaml.safe_load(f.read()) + drivers = cf['drivers'].copy() + for driver in cf['drivers']: + if driver == 'default': +@@ -132,14 +132,14 @@ class Database(object): + yamlpath = configdir + db = {} + with open(os.path.join(yamlpath, "confs_by_driver.yaml")) as f: +- cf = yaml.load(f.read()) ++ cf = yaml.safe_load(f.read()) + db['lircd_by_driver'] = cf['lircd_by_driver'].copy() + db['lircmd_by_driver'] = cf['lircmd_by_driver'].copy() + + db['kernel-drivers'] = _load_kerneldrivers(configdir) + db['drivers'] = db['kernel-drivers'].copy() + with open(os.path.join(yamlpath, "drivers.yaml")) as f: +- cf = yaml.load(f.read()) ++ cf = yaml.safe_load(f.read()) + db['drivers'].update(cf['drivers'].copy()) + for key, d in db['drivers'].items(): + d['id'] = key +@@ -158,7 +158,7 @@ class Database(object): + configs = {} + for path in glob.glob(configdir + '/*.conf'): + with open(path) as f: +- cf = yaml.load(f.read()) ++ cf = yaml.safe_load(f.read()) + configs[cf['config']['id']] = cf['config'] + db['configs'] = configs + self.db = db |