CVE-2017-18342

Advisory

Pre-commit 1.10.4 replaces 'yaml.load' with safe alternative to avoid a remote code execution vulnerability.
https://github.com/pre-commit/pre-commit/commit/6853f4aa4c8d7e411839bacc66876baea443186a

Affected package

Affected versions

Fixed versions

Vulnerability changelog

===================

Fixes
- Replace `yaml.load` with safe alternative
- `yaml.load` can lead to arbitrary code execution, though not where it
was used
- issue by tonybaloney.
- 779 PR by asottile.
- Improve not found error with script paths (`./exe`)
- 782 issue by ssbarnea.
- 785 PR by asottile.
- Fix minor buffering issue during `--show-diff-on-failure`
- 796 PR by asottile.
- Default `language_version: python3` for `python_venv` when running in python2
- 794 issue by ssbarnea.
- 797 PR by asottile.
- `pre-commit run X` only run `X` and not hooks with `stages: [...]`
- 772 issue by asottile.
- 803 PR by mblayman.

Misc.
- Improve travis-ci build times by caching rust / swift artifacts
- 781 PR by expobrain.
- Test against python3.7
- 789 PR by expobrain.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342
• https://github.com/yaml/pyyaml/pull/74
• https://github.com/yaml/pyyaml/blob/master/CHANGES
• https://lists.fedoraproject.org/archives/list/[email protected]/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/
• https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
• https://github.com/marshmallow-code/apispec/issues/278
• https://github.com/yaml/pyyaml/issues/193
• https://security.gentoo.org/glsa/202003-45