[debops-security] Remote code execution vulnerability in DebOps API

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dears DebOps folks A remote code execution vulnerability has been found in the DebOps API [1], the Python script which pre-computes the content served by https://api.debops.org/. - - The default ``yaml.load`` method from PyYAML which is used to read Ansigenome YAML files is unsafe. As a result remote code execution was possible when the DebOps API script parsed role metadata. Refer to the issue `Make load safe_load <https://github.com/yaml/pyyaml/issues/5>`_. This has been fixed by switching to ``yaml.safe_load``. [ypid_] Risk: Arbitrary code could have been executed on a server running the DebOps API by getting a malicious `meta/ansigenome.yml` file into one of the DebOps core roles (with DebOps being the only known deployment of the DebOps API). The DebOps API automatically updates once per hour to the latest master of all DebOps core roles, as part of the update, present `meta/ansigenome.yml` files are parsed and the API data is pre-computed. Potential code would run with the permissions of the debops-api user which is a restricted system user [3] who’s write access is limited to DebOps API data. Note that before changes enter DebOps core roles, they need to be reviewed by at least one DebOps Developer [2] and we are not aware of any attempts (successful or unsuccessful) to exploit this vulnerability to gain access to project infrastructure. The only known DebOps API instance [4] has been patched before publicly disclosing this vulnerability. This issue was reported on 2017-02-21 by Robin Schneider (DebOps Developer and author of the DebOps API). The fix is being pushed to the main repository shortly before this email is being send. This announcement is being made following the [DebOps Security Policy]. git commit which fixes it: commit 570c61b77cf4f99091333fc687c63a822d70a7af (HEAD, master) gpg: Signature made Di 21 Feb 2017 21:45:25 CET gpg: using RSA key 0x489A4D5EC353C98A gpg: Good signature from "Robin Schneider (Automatic Signing Key) <ypid(a)riseup.net&gt;&quot; [ultimate] gpg: aka "Robin Schneider (Automatic Signing Key) <ypid23(a)aol.de&gt;&quot; [ultimate] Primary key fingerprint: EF96 BC32 AC57 CFC7 2DF0 1D8C 489A 4D5E C353 C98A Author: Robin Schneider <ypid(a)riseup.net&gt; Date: Tue Feb 21 21:43:52 2017 Fix remote code execution vulnerability by switching to yaml.safe_load [1]: https://github.com/debops/debops-api [2]: https://docs.debops.org/en/latest/debops-keyring/docs/entities.html#debop... ng-role-developers [3]: https://github.com/debops/ansible-debops_api/blob/5dcda6874ee252a2d314b8a... 0d91b6ba62/defaults/main.yml#L63 [4]: https://api.debops.org/ [DebOps Security Policy]: https://docs.debops.org/en/latest/debops-policy/docs/security-policy.html - -- Live long and prosper Robin `ypid` Schneider -- https://me.ypid.de/