Remote code execution vulnerability in DebOps API
by Robin Schneider
-----BEGIN PGP SIGNED MESSAGE-----
Dears DebOps folks
A remote code execution vulnerability has been found in the DebOps API , the
Python script which pre-computes the content served by https://api.debops.org/.
- - The default ``yaml.load`` method from PyYAML which is used to read
Ansigenome YAML files is unsafe.
As a result remote code execution was possible when the DebOps API script
parsed role metadata.
Refer to the issue `Make load safe_load
This has been fixed by switching to ``yaml.safe_load``. [ypid_]
Risk: Arbitrary code could have been executed on a server running the DebOps
API by getting a malicious `meta/ansigenome.yml` file into one of the DebOps
core roles (with DebOps being the only known deployment of the DebOps API). The
DebOps API automatically updates once per hour to the latest master of all
DebOps core roles, as part of the update, present `meta/ansigenome.yml` files
are parsed and the API data is pre-computed.
Potential code would run with the permissions of the debops-api user which is a
restricted system user  who’s write access is limited to DebOps API data.
Note that before changes enter DebOps core roles, they need to be reviewed by at
least one DebOps Developer  and we are not aware of any attempts (successful
or unsuccessful) to exploit this vulnerability to gain access to project
The only known DebOps API instance  has been patched before publicly
disclosing this vulnerability.
This issue was reported on 2017-02-21 by Robin Schneider (DebOps Developer and
author of the DebOps API).
The fix is being pushed to the main repository shortly before this email is
This announcement is being made following the [DebOps Security Policy].
git commit which fixes it:
commit 570c61b77cf4f99091333fc687c63a822d70a7af (HEAD, master)
gpg: Signature made Di 21 Feb 2017 21:45:25 CET
gpg: using RSA key 0x489A4D5EC353C98A
gpg: Good signature from "Robin Schneider (Automatic Signing Key)
gpg: aka "Robin Schneider (Automatic Signing Key)
Primary key fingerprint: EF96 BC32 AC57 CFC7 2DF0 1D8C 489A 4D5E C353 C98A
Author: Robin Schneider <ypid(a)riseup.net>
Date: Tue Feb 21 21:43:52 2017
Fix remote code execution vulnerability by switching to yaml.safe_load
[DebOps Security Policy]:
Live long and prosper
Robin `ypid` Schneider -- https://me.ypid.de/
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----