Your message dated Sat, 10 Mar 2012 07:17:40 +0000 with message-id <e1s6gye-0001gu...@franck.debian.org> and subject line Bug#661548: fixed in libyaml-libyaml-perl 0.38-2 has caused the Debian Bug report #661548, regarding libyaml-libyaml-perl: CVE-2012-1152: Format string vulnerabilities in YAML parsing to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 661548: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661548 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libyaml-libyaml-perl Severity: normal Version: 0.38-1 User: debian...@lists.debian.org Usertags: hardening-format-security hardening With hardening flags enabled, this package FTBFS: perl_libyaml.c: In function 'Load': perl_libyaml.c:191:5: error: format not a string literal and no format arguments [-Werror=format-security] perl_libyaml.c: In function 'load_node': perl_libyaml.c:274:9: error: format not a string literal and no format arguments [-Werror=format-security] perl_libyaml.c: In function 'load_mapping': perl_libyaml.c:318:9: error: format not a string literal and no format arguments [-Werror=format-security] perl_libyaml.c: In function 'load_sequence': perl_libyaml.c:351:9: error: format not a string literal and no format arguments [-Werror=format-security] cc1: some warnings being treated as errors (this is the first error of this type seen: it's possible that there could be others once this is fixed). A likely fix is to change croak(var) to croak("%s", var)[1], or similar. Note that I haven't verified whether an externally-controlled string is used; if so, it would be appropriate to upgrade this bug RC severity with the security tag[2]. This was found during testing of perl 5.14.2-8 in experimental; however, since that version was prepared, it has been decided not to export those build flags in Config_heay.pl. Nevertheless, it is likely that at some point, either in debhelper 9 or 10, the hardening flags will be enabled for all perl modules. Thanks, Dominic. [1] <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657853#92> [2] <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657853#117> -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
--- End Message ---
--- Begin Message ---Source: libyaml-libyaml-perl Source-Version: 0.38-2 We believe that the bug you reported is fixed in the latest version of libyaml-libyaml-perl, which is due to be installed in the Debian FTP archive: libyaml-libyaml-perl_0.38-2.debian.tar.gz to main/liby/libyaml-libyaml-perl/libyaml-libyaml-perl_0.38-2.debian.tar.gz libyaml-libyaml-perl_0.38-2.dsc to main/liby/libyaml-libyaml-perl/libyaml-libyaml-perl_0.38-2.dsc libyaml-libyaml-perl_0.38-2_amd64.deb to main/liby/libyaml-libyaml-perl/libyaml-libyaml-perl_0.38-2_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 661...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Niko Tyni <nt...@debian.org> (supplier of updated libyaml-libyaml-perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 10 Mar 2012 08:57:07 +0200 Source: libyaml-libyaml-perl Binary: libyaml-libyaml-perl Architecture: source amd64 Version: 0.38-2 Distribution: unstable Urgency: medium Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org> Changed-By: Niko Tyni <nt...@debian.org> Description: libyaml-libyaml-perl - Perl interface to libyaml, a YAML implementation Closes: 661548 Changes: libyaml-libyaml-perl (0.38-2) unstable; urgency=medium . * Team upload. . [ Julián Moreno Patiño ] * Enable hardening flags. (Closes: #661548) + Switch compat level 8 to 9. + Add fix_ftbfs_hardening_flags.diff patch. + Bump debhelper version to 9. * Bump Standards-Version to 3.9.3. + Update to DEP5 copyright-format 1.0. + Add /me to debian copyright. . [ Niko Tyni ] * Note that this fixes CVE-2012-1152. * Upload at urgency=medium Checksums-Sha1: 856902f28f457b3e8db322ddf039d8551501f82e 1544 libyaml-libyaml-perl_0.38-2.dsc 5bec76bbfd12da7b5a031cac230d12b47c6a57a2 3108 libyaml-libyaml-perl_0.38-2.debian.tar.gz 2bfdaf698647ce9694841ac1fc6188288146a51a 77662 libyaml-libyaml-perl_0.38-2_amd64.deb Checksums-Sha256: 52e2091bdc8fecf957b866a6a704cba727ac5cc9b20ac546a1cd51e57feec81e 1544 libyaml-libyaml-perl_0.38-2.dsc 019baeaf589a3f6e2c6818a2c35c8d0dae7345963dc92786700abad0eb686468 3108 libyaml-libyaml-perl_0.38-2.debian.tar.gz 5f3c078619fc4d4124560e6f436878b5803ddb26fa90c54ae1186bdfc83f21cb 77662 libyaml-libyaml-perl_0.38-2_amd64.deb Files: 8a7c9f34cf8b106dd59d69104c8412c9 1544 perl optional libyaml-libyaml-perl_0.38-2.dsc 1ec8dad95a5650091c6f91e3aaefc6f3 3108 perl optional libyaml-libyaml-perl_0.38-2.debian.tar.gz 5f9e74d1f3ff8fee9255fbf6b1be1940 77662 perl optional libyaml-libyaml-perl_0.38-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAk9a/ngACgkQiyizGWoHLTlFhgCeK9gsJyypsW8t5bWtI+iCtquZ MLoAn1f0MYuBsvJrX4yruBlgcSILRxYL =wK0c -----END PGP SIGNATURE-----
--- End Message ---
