app-misc/lirc: Use pyyaml safe_load instead of load

See upstream report at https://sourceforge.net/p/lirc/git/merge-requests/39/ Bug: https://bugs.gentoo.org/682922 Package-Manager: Portage-2.3.66, Repoman-2.3.12 Signed-off-by: Craig Andrews <candrews@gentoo.org>
author: Craig Andrews <candrews@gentoo.org> 2019-05-11 12:11:28 -0400
committer: Craig Andrews <candrews@gentoo.org> 2019-05-11 12:16:51 -0400
commit: 004c4079cde46b2a793a4bb7b02d1d939e59aff4 (patch)
tree: f6928fd7ef6140a9d56ba0b88f3cbfe5d8f41c79 /app-misc/lirc/files
parent: dev-python/pytest: bump to 4.4.2 (diff)
download: gentoo-004c4079cde46b2a793a4bb7b02d1d939e59aff4.tar.gz
gentoo-004c4079cde46b2a793a4bb7b02d1d939e59aff4.tar.bz2
gentoo-004c4079cde46b2a793a4bb7b02d1d939e59aff4.zip
1 files changed, 52 insertions, 0 deletions
diff --git a/app-misc/lirc/files/lirc-0.10.1-unsafe-load.patch b/app-misc/lirc/files/lirc-0.10.1-unsafe-load.patch
new file mode 100644
index 000000000000..7758ebb6e899
--- /dev/null
+++ b/app-misc/lirc/files/lirc-0.10.1-unsafe-load.patch
@@ -0,0 +1,52 @@
+https://sourceforge.net/p/lirc/git/merge-requests/39/
+
+commit 8fab503abb3fdababb1875fdc2373afe8534770e
+Author: Craig Andrews <candrews@integralblue.com>
+Date:   Sat May 11 11:39:44 2019 -0400
+
+    Use pyyaml safe_load instead of load
+    
+    Using load on untrusted user input could lead to arbitrary code execution.
+    Therefore, upstream has disabled load, requiring the use of either
+    safe_load or full_load
+    See https://github.com/yaml/pyyaml/issues/265
+
+diff --git a/python-pkg/lirc/database.py b/python-pkg/lirc/database.py
+index d464c2ab..bd567181 100644
+--- a/python-pkg/lirc/database.py
++++ b/python-pkg/lirc/database.py
+@@ -66,7 +66,7 @@ def _load_kerneldrivers(configdir):
+     '''
+ 
+     with open(os.path.join(configdir, "kernel-drivers.yaml")) as f:
+-        cf = yaml.load(f.read())
++        cf = yaml.safe_load(f.read())
+     drivers = cf['drivers'].copy()
+     for driver in cf['drivers']:
+         if driver == 'default':
+@@ -132,14 +132,14 @@ class Database(object):
+             yamlpath = configdir
+         db = {}
+         with open(os.path.join(yamlpath, "confs_by_driver.yaml")) as f:
+-            cf = yaml.load(f.read())
++            cf = yaml.safe_load(f.read())
+         db['lircd_by_driver'] = cf['lircd_by_driver'].copy()
+         db['lircmd_by_driver'] = cf['lircmd_by_driver'].copy()
+ 
+         db['kernel-drivers'] = _load_kerneldrivers(configdir)
+         db['drivers'] = db['kernel-drivers'].copy()
+         with open(os.path.join(yamlpath, "drivers.yaml")) as f:
+-            cf = yaml.load(f.read())
++            cf = yaml.safe_load(f.read())
+         db['drivers'].update(cf['drivers'].copy())
+         for key, d in db['drivers'].items():
+             d['id'] = key
+@@ -158,7 +158,7 @@ class Database(object):
+         configs = {}
+         for path in glob.glob(configdir + '/*.conf'):
+             with open(path) as f:
+-                cf = yaml.load(f.read())
++                cf = yaml.safe_load(f.read())
+             configs[cf['config']['id']] = cf['config']
+         db['configs'] = configs
+         self.db = db
author	Craig Andrews <candrews@gentoo.org>	2019-05-11 12:11:28 -0400
committer	Craig Andrews <candrews@gentoo.org>	2019-05-11 12:16:51 -0400
commit	004c4079cde46b2a793a4bb7b02d1d939e59aff4 (patch)
tree	f6928fd7ef6140a9d56ba0b88f3cbfe5d8f41c79 /app-misc/lirc/files
parent	dev-python/pytest: bump to 4.4.2 (diff)
download	gentoo-004c4079cde46b2a793a4bb7b02d1d939e59aff4.tar.gz gentoo-004c4079cde46b2a793a4bb7b02d1d939e59aff4.tar.bz2 gentoo-004c4079cde46b2a793a4bb7b02d1d939e59aff4.zip