ALAS2023-2026-1663

An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. (CVE-2025-56005)

aarch64:
    policycoreutils-devel-debuginfo-3.4-6.amzn2023.0.3.aarch64
    policycoreutils-newrole-debuginfo-3.4-6.amzn2023.0.3.aarch64
    policycoreutils-restorecond-debuginfo-3.4-6.amzn2023.0.3.aarch64
    policycoreutils-devel-3.4-6.amzn2023.0.3.aarch64
    policycoreutils-debuginfo-3.4-6.amzn2023.0.3.aarch64
    policycoreutils-newrole-3.4-6.amzn2023.0.3.aarch64
    policycoreutils-debugsource-3.4-6.amzn2023.0.3.aarch64
    policycoreutils-restorecond-3.4-6.amzn2023.0.3.aarch64
    policycoreutils-3.4-6.amzn2023.0.3.aarch64

noarch:
    python3-policycoreutils-3.4-6.amzn2023.0.3.noarch
    policycoreutils-dbus-3.4-6.amzn2023.0.3.noarch
    policycoreutils-gui-3.4-6.amzn2023.0.3.noarch
    policycoreutils-python-utils-3.4-6.amzn2023.0.3.noarch

src:
    policycoreutils-3.4-6.amzn2023.0.3.src

x86_64:
    policycoreutils-newrole-3.4-6.amzn2023.0.3.x86_64
    policycoreutils-debugsource-3.4-6.amzn2023.0.3.x86_64
    policycoreutils-newrole-debuginfo-3.4-6.amzn2023.0.3.x86_64
    policycoreutils-devel-debuginfo-3.4-6.amzn2023.0.3.x86_64
    policycoreutils-restorecond-debuginfo-3.4-6.amzn2023.0.3.x86_64
    policycoreutils-devel-3.4-6.amzn2023.0.3.x86_64
    policycoreutils-restorecond-3.4-6.amzn2023.0.3.x86_64
    policycoreutils-3.4-6.amzn2023.0.3.x86_64
    policycoreutils-debuginfo-3.4-6.amzn2023.0.3.x86_64