Your message dated Mon, 12 Mar 2012 22:02:10 +0000 with message-id <e1s7dji-0007vb...@franck.debian.org> and subject line Bug#661548: fixed in libyaml-libyaml-perl 0.33-1+squeeze1 has caused the Debian Bug report #661548, regarding libyaml-libyaml-perl: CVE-2012-1152: Format string vulnerabilities in YAML parsing to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 661548: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661548 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libyaml-libyaml-perl Severity: normal Version: 0.38-1 User: debian...@lists.debian.org Usertags: hardening-format-security hardening With hardening flags enabled, this package FTBFS: perl_libyaml.c: In function 'Load': perl_libyaml.c:191:5: error: format not a string literal and no format arguments [-Werror=format-security] perl_libyaml.c: In function 'load_node': perl_libyaml.c:274:9: error: format not a string literal and no format arguments [-Werror=format-security] perl_libyaml.c: In function 'load_mapping': perl_libyaml.c:318:9: error: format not a string literal and no format arguments [-Werror=format-security] perl_libyaml.c: In function 'load_sequence': perl_libyaml.c:351:9: error: format not a string literal and no format arguments [-Werror=format-security] cc1: some warnings being treated as errors (this is the first error of this type seen: it's possible that there could be others once this is fixed). A likely fix is to change croak(var) to croak("%s", var)[1], or similar. Note that I haven't verified whether an externally-controlled string is used; if so, it would be appropriate to upgrade this bug RC severity with the security tag[2]. This was found during testing of perl 5.14.2-8 in experimental; however, since that version was prepared, it has been decided not to export those build flags in Config_heay.pl. Nevertheless, it is likely that at some point, either in debhelper 9 or 10, the hardening flags will be enabled for all perl modules. Thanks, Dominic. [1] <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657853#92> [2] <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657853#117> -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
--- End Message ---
--- Begin Message ---Source: libyaml-libyaml-perl Source-Version: 0.33-1+squeeze1 We believe that the bug you reported is fixed in the latest version of libyaml-libyaml-perl, which is due to be installed in the Debian FTP archive: libyaml-libyaml-perl_0.33-1+squeeze1.debian.tar.gz to main/liby/libyaml-libyaml-perl/libyaml-libyaml-perl_0.33-1+squeeze1.debian.tar.gz libyaml-libyaml-perl_0.33-1+squeeze1.dsc to main/liby/libyaml-libyaml-perl/libyaml-libyaml-perl_0.33-1+squeeze1.dsc libyaml-libyaml-perl_0.33-1+squeeze1_amd64.deb to main/liby/libyaml-libyaml-perl/libyaml-libyaml-perl_0.33-1+squeeze1_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 661...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Niko Tyni <nt...@debian.org> (supplier of updated libyaml-libyaml-perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 10 Mar 2012 08:46:55 +0200 Source: libyaml-libyaml-perl Binary: libyaml-libyaml-perl Architecture: source amd64 Version: 0.33-1+squeeze1 Distribution: stable-security Urgency: high Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org> Changed-By: Niko Tyni <nt...@debian.org> Description: libyaml-libyaml-perl - Perl interface to libyaml, a YAML implementation Closes: 661548 Changes: libyaml-libyaml-perl (0.33-1+squeeze1) stable-security; urgency=high . * [SECURITY] CVE-2012-1152: Fix format string vulnerabilities in YAML parsing. (Closes: #661548) Checksums-Sha1: ae0798ad80d409b8206a3fdda393fcb1b438d30b 1422 libyaml-libyaml-perl_0.33-1+squeeze1.dsc 1c058fc54ffdedd39d8a93926ac3bedda94fdb71 146030 libyaml-libyaml-perl_0.33.orig.tar.gz b733a68187dd6e0c777ff241a4c95265df15f5b8 2827 libyaml-libyaml-perl_0.33-1+squeeze1.debian.tar.gz 55c970413df006895589b62c4f03ea06f38c7209 75762 libyaml-libyaml-perl_0.33-1+squeeze1_amd64.deb Checksums-Sha256: f75be49d41bea06686842d0ba475b2551d0e60627d5aa4a29d66faee4344bfa3 1422 libyaml-libyaml-perl_0.33-1+squeeze1.dsc 70c4f7604aeedfc374b64c94745963391eea192d285ffbf4234c4463d78363bc 146030 libyaml-libyaml-perl_0.33.orig.tar.gz 92e065dc66342a0e07a68878499e9bbe622493af6f0260e2d889aec4716f550b 2827 libyaml-libyaml-perl_0.33-1+squeeze1.debian.tar.gz c085591464c37e985953a1625d642ed9ba67bf7fa7ac21dea10056d6e2a8b654 75762 libyaml-libyaml-perl_0.33-1+squeeze1_amd64.deb Files: 70dac728afa94e3d2cf7cc8018007d7f 1422 perl optional libyaml-libyaml-perl_0.33-1+squeeze1.dsc 001a21618af05ee3a12dbb8cd6bd9b13 146030 perl optional libyaml-libyaml-perl_0.33.orig.tar.gz baf13d78d7166c86fcc2c62acf225d5c 2827 perl optional libyaml-libyaml-perl_0.33-1+squeeze1.debian.tar.gz d8511a72c7338aae6e8c74de6f45bde7 75762 perl optional libyaml-libyaml-perl_0.33-1+squeeze1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAk9bBjgACgkQiyizGWoHLTm+BwCgpdHKiOrrMZM0aVXlHCQwrlEj Q18AoK9vRuQ3ah0emGr12g9958ybXZUy =Jgc0 -----END PGP SIGNATURE-----
--- End Message ---
