severity 661548 grave tag 661548 security found 661548 0.33-1 thanks On Mon, Feb 27, 2012 at 09:44:42PM +0000, Dominic Hargreaves wrote: > Source: libyaml-libyaml-perl > Severity: normal > Version: 0.38-1 > User: debian...@lists.debian.org > Usertags: hardening-format-security hardening > > With hardening flags enabled, this package FTBFS: > > perl_libyaml.c: In function 'Load': > perl_libyaml.c:191:5: error: format not a string literal and no format > arguments [-Werror=format-security] > perl_libyaml.c: In function 'load_node': > perl_libyaml.c:274:9: error: format not a string literal and no format > arguments [-Werror=format-security] > perl_libyaml.c: In function 'load_mapping': > perl_libyaml.c:318:9: error: format not a string literal and no format > arguments [-Werror=format-security] > perl_libyaml.c: In function 'load_sequence': > perl_libyaml.c:351:9: error: format not a string literal and no format > arguments [-Werror=format-security]
These format strings can be injected from user input, so raising the severity. A DSA will be issued for squeeze. I've just notified upstream via the RT tickets below. Could somebody from the pkg-perl team please prepare updated packages (built with -sa for stable-security as this is new there)? Trivial patches can be found in https://rt.cpan.org/Public/Bug/Display.html?id=75365 https://rt.cpan.org/Public/Bug/Display.html?id=46507 -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
