Comment 2 for bug 1849640

Ryan Harper (raharper) wrote :

Thanks for taking the time to make cloud-init more secure. At this time we do not believe this is a security issue. Cloud-init does have a safe yaml parser and your scan did fine one call-site which was not using the existing safe yaml parser, though not in primary execution path of cloud-init. This has already been patched and merged upstream.

This bug mentions use of yaml.load() and suggests using safeload() instead and worries about executing code during the yaml.load() operation.

1. cloudinit/cmd/devel/ yaml.load(net_data) Line 81
The method is called by unprivileged users on a system; any code execution would run with permissions of that user. This method is not called or used during system boot.
This call to yaml.load should be replaced with a call to cloudinit.util.load_yaml() which uses cloudinit.safeyaml loader which uses yaml.SafeLoader.

2. cloudinit/,Loader=_CustomSafeLoader)
This use of yaml.load specifies a Loader that is not the default Loader. _CustomSafeLoader(), defined in the same file, is a subclass of yaml.SafeLoader which is the loader used by yaml.safeload()

3. cloudinit/ at line 950, converted = safeyaml.load(blob)
This code uses cloudinit’s safeyaml.load() method which uses yaml.SafeLoader