EULEROS-SA-2026-2112

Summary:

An update for python-ply is now available for EulerOS Virtualization release 2.12.0

EulerOS Security has rated this update as having a security impact of Critical.A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.General:

PLY is a straightforward lex/yacc implementation. Here is a list of its essential features: * It is implemented entirely in Python. * It uses LR-parsing which is reasonably efficient and well suited for larger grammars. * PLY provides most of the standard lex/yacc features including support for empty productions, precedence rules, error recovery, and support for ambiguous grammars. * PLY is straightforward to use and provides very extensive error checking. * PLY doesn't try to do anything more or less than provide the basic lex/yacc functionality. In other words, it's not a large parsing framework or a component of some larger system.

Security Fix(es):

An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the picklefile parameter in the yacc() function. This parameter accepts a .pkl file that is deserialized with pickle.load() without validation. Because pickle allows execution of embedded code via __reduce__(), an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. NOTE: A third-party states that this vulnerability should be rejected because the proof of concept does not demonstrate arbitrary code execution and fails to complete successfully.(CVE-2025-56005)Legal Disclaimer:

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the...