Control: tags 988998 + pending Dear maintainer,
I've prepared an NMU for lava (versioned as 2020.12-4.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Regards, SR
diff -Nru lava-2020.12/debian/changelog lava-2020.12/debian/changelog --- lava-2020.12/debian/changelog 2021-05-12 09:34:00.000000000 -0400 +++ lava-2020.12/debian/changelog 2021-05-23 11:34:54.000000000 -0400 @@ -1,3 +1,11 @@ +lava (2020.12-4.1) unstable; urgency=medium + + * Non-maintainer upload. + * Patch: Support pyyaml's security patch in 5.3.1-4 (from 5.4 upstream). + (Closes: #988998) + + -- Stefano Rivera <stefa...@debian.org> Sun, 23 May 2021 11:34:54 -0400 + lava (2020.12-4) unstable; urgency=medium * Reinstate /etc/logrotate.d/lava-scheduler-log with the original contents diff -Nru lava-2020.12/debian/patches/0002-Add-yaml_unsafe_load.patch lava-2020.12/debian/patches/0002-Add-yaml_unsafe_load.patch --- lava-2020.12/debian/patches/0002-Add-yaml_unsafe_load.patch 1969-12-31 20:00:00.000000000 -0400 +++ lava-2020.12/debian/patches/0002-Add-yaml_unsafe_load.patch 2021-05-23 11:34:51.000000000 -0400 @@ -0,0 +1,90 @@ +From f09a08701539cf022f7507e376f26d2a3229a607 Mon Sep 17 00:00:00 2001 +From: Marc Deslauriers <marc.deslauri...@ubuntu.com> +Date: Sun, 23 May 2021 11:18:22 -0400 +Subject: [PATCH] Add yaml_unsafe_load + +And use it in test as some constructiors were removed in pyyaml security update + +Bug-Debian: https://bugs.debian.org/988998 +Forwarded: https://git.lavasoftware.org/lava/lava/-/issues/488 + +--- + lava_common/compat.py | 9 +++++++++ + tests/lava_dispatcher/test_multinode.py | 4 ++-- + tests/lava_scheduler_app/test_pipeline.py | 4 ++-- + 3 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/lava_common/compat.py b/lava_common/compat.py +index dd35282fc..c8c981701 100644 +--- a/lava_common/compat.py ++++ b/lava_common/compat.py +@@ -45,6 +45,10 @@ try: + from yaml import CSafeLoader as SafeLoader + except ImportError: + from yaml import SafeLoader ++try: ++ from yaml import CUnsafeLoader as UnsafeLoader ++except ImportError: ++ from yaml import UnsafeLoader + try: + from yaml import CSafeDumper as SafeDumper + except ImportError: +@@ -65,6 +69,11 @@ def yaml_safe_load(data): + return yaml.load(data, Loader=SafeLoader) + + ++# handle compatibility for yaml.unsafe_load ++def yaml_unsafe_load(data): ++ return yaml.load(data, Loader=UnsafeLoader) ++ ++ + # handle compatibility for yaml.dump + def yaml_dump(data, *args, **kwargs): + return yaml.dump(data, *args, Dumper=Dumper, **kwargs) +diff --git a/tests/lava_dispatcher/test_multinode.py b/tests/lava_dispatcher/test_multinode.py +index fee427cdd..e7a96b117 100644 +--- a/tests/lava_dispatcher/test_multinode.py ++++ b/tests/lava_dispatcher/test_multinode.py +@@ -23,7 +23,7 @@ import os + import uuid + import json + +-from lava_common.compat import yaml_dump, yaml_load ++from lava_common.compat import yaml_dump, yaml_unsafe_load + from lava_common.constants import LAVA_MULTINODE_SYSTEM_TIMEOUT + from lava_common.timeout import Timeout + from lava_common.exceptions import TestError, JobError, InfrastructureError +@@ -283,7 +283,7 @@ class TestMultinode(StdoutTestCase): + for action in self.client_job.pipeline.actions: + data = action.explode() + data_str = yaml_dump(data) +- yaml_load(data_str) # nosec not suitable for safe_load ++ yaml_unsafe_load(data_str) # nosec not suitable for safe_load + + def test_multinode_timeout(self): + """ +diff --git a/tests/lava_scheduler_app/test_pipeline.py b/tests/lava_scheduler_app/test_pipeline.py +index 1f58dfba5..3cc058dfa 100644 +--- a/tests/lava_scheduler_app/test_pipeline.py ++++ b/tests/lava_scheduler_app/test_pipeline.py +@@ -26,7 +26,7 @@ from lava_scheduler_app.schema import ( + SubmissionException, + ) + +-from lava_common.compat import yaml_load ++from lava_common.compat import yaml_unsafe_load + from lava_dispatcher.device import PipelineDevice + from lava_dispatcher.parser import JobParser + from tests.lava_dispatcher.test_defs import check_missing_path +@@ -1127,7 +1127,7 @@ class TestYamlMultinode(TestCaseWithFactory): + meta_dict, + ) + # simulate dynamic connection +- dynamic = yaml_load( # nosec - not suitable for safe_load ++ dynamic = yaml_unsafe_load( # nosec - not suitable for safe_load + open( + os.path.join( + os.path.dirname(__file__), +-- +2.30.2 + diff -Nru lava-2020.12/debian/patches/series lava-2020.12/debian/patches/series --- lava-2020.12/debian/patches/series 2021-05-12 09:34:00.000000000 -0400 +++ lava-2020.12/debian/patches/series 2021-05-23 11:34:10.000000000 -0400 @@ -1 +1,2 @@ 0001-lava_rest_app-fix-field-name-in-filters.patch +0002-Add-yaml_unsafe_load.patch
