Your message dated Wed, 29 Jan 2020 11:35:21 +0000
with message-id <e1iwlcv-0002b6...@fasolo.debian.org>
and subject line Bug#862373: fixed in libyaml-libyaml-perl 0.81+repack-1
has caused the Debian Bug report #862373,
regarding libyaml-libyaml-perl: Unconditionally instantiates objects from yaml
data
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
862373: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862373
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: lintian
Version: 2.5.41
Tags: security
Lintian uses the YAML::XS module to validate YAML in debian/upstream/metadata.
This module is happy to deserialize objects of any existing Perl class. For
Lintian, the File::Temp::Dir class can be abused to remove arbitrary directory
trees. (There might be other exciting ways to exploit this bug, but I'm too
lazy to investigate further.)
I've attached proof-of-concept exploit:
$ mkdir /tmp/moo
$ ls -d /tmp/moo
/tmp/moo
$ lintian -C upstream-metadata badyaml_1.dsc
$ ls -d /tmp/moo
/bin/ls: cannot access '/tmp/moo': No such file or directory
--
Jakub Wilk
badyaml_1.tar.xz
Description: application/xz
Format: 3.0 (native)
Source: badyaml
Binary: badyaml
Architecture: all
Version: 1
Package-List:
badyaml deb unknown unknown arch=all
Checksums-Sha1:
9838fde8d6dd00bda20dc32ef430cc912e9f96d9 27928 badyaml_1.tar.xz
Checksums-Sha256:
d06b616c490cceaffeadaeca19e19348e2cc223aa6e1feb27343932d4f75dbf6 27928
badyaml_1.tar.xz
Files:
936d4f8f7134f8b41c4f67b05dd7b3e0 27928 badyaml_1.tar.xz
--- End Message ---
--- Begin Message ---
Source: libyaml-libyaml-perl
Source-Version: 0.81+repack-1
We believe that the bug you reported is fixed in the latest version of
libyaml-libyaml-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 862...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <gre...@debian.org> (supplier of updated libyaml-libyaml-perl
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 29 Jan 2020 12:19:37 +0100
Source: libyaml-libyaml-perl
Architecture: source
Version: 0.81+repack-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: gregor herrmann <gre...@debian.org>
Closes: 862373
Changes:
libyaml-libyaml-perl (0.81+repack-1) unstable; urgency=medium
.
* Import upstream version 0.81+repack.
Fixes "Unconditionally instantiates objects from yaml data"
(Closes: #862373)
* Add a debian/NEWS entry about the changed default for
$YAML::XS::LoadBlessed.
* Update years of upstream and packaging copyright.
* Declare compliance with Debian Policy 4.5.0.
* Update Build-Depends for cross builds.
* Set upstream metadata fields: Bug-Submit.
Checksums-Sha1:
ae392d2a56699d8a66d3b5f0ae2f0a864b8f9bec 2461
libyaml-libyaml-perl_0.81+repack-1.dsc
138a2ef9961c638c36533f12ee24b867193baa4a 80784
libyaml-libyaml-perl_0.81+repack.orig.tar.xz
c23b065066c3babab5ced8737c7d8649627e4696 5620
libyaml-libyaml-perl_0.81+repack-1.debian.tar.xz
Checksums-Sha256:
5af83154f1798189ab8755a67012c2e9dcbe4d9311b1da8c35a9391184aca0ca 2461
libyaml-libyaml-perl_0.81+repack-1.dsc
8d3cfe2a9428f117d2dc49571bfb3b5724f540d65b6f67795168acb2c1b8bd1d 80784
libyaml-libyaml-perl_0.81+repack.orig.tar.xz
7fbf9e63535fd2827a42130250df52a7ebf786efb78a41a0b5a382ff052240d1 5620
libyaml-libyaml-perl_0.81+repack-1.debian.tar.xz
Files:
9738b50861901f9295c92dbb15c8ad54 2461 perl optional
libyaml-libyaml-perl_0.81+repack-1.dsc
0eff92b8a2c4aab7703227427d58acae 80784 perl optional
libyaml-libyaml-perl_0.81+repack.orig.tar.xz
7aeaddc5f4a98665348a9db1b0718f90 5620 perl optional
libyaml-libyaml-perl_0.81+repack-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAl4xattfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgYiNA//dO9dFzMbBoOYdZrd3kiIKuHaOO5CNs9CVth1w/7WUcsZQhfyizfPBub8
4wjMSgKfvKEE3jHBQFeMiiEEhaDu4zZyPdAaAC4fAB5IN+0tMF9Wxyip/3r2jH0x
dG9p5zx+rsEOR7SSanhyt5np5Rhw7TbbTn5Nl1nYyc4FRbIWhksAQ7NAgrF5mcNh
SwOl3IZ9xUWCmQZGn7gjy8Wllhfv5qBeAnHcZPElLWqSYSt7J05P5So1ktNFUJqO
LY2w2AYV1DjZGR+pyCee7XY84pnQT7UzqWjxpUzVctwQd+DqXfFMUY45WSTvZdEY
o3PyY7623sQq8v88itTon8Da+M+7TJf6ki9TzG9sUG0blY5KMnCu6U3okVIVeDX6
9seXPmHtFgUsLc6WCt6HpP/4UnrNbVn0sBLDiSjJLezId2X8k3oYTyC/HKdSDxll
mvc8vxQJqF78SNkUJJPck9eQgmnu++0lw4BBIUiF8Pjf8CyMdyQSFtunXoVdZXWI
jAWRYNkUE5xxVmZyLK7/4/DLqy0N8KHP7dtD1louCZx3YPnbNUvBziNOyRih4vH9
RTxbjdjvnWvL/39mL3mwor8B9LsiYRZ3YlZdIW+u2cXRkUA7XCvnqfVk5sbBth1S
4e7Bg4dR4QW02CiWqA8rRh4cV4u6yeUzP4dsMQGfLdKuNqzJ+0Q=
=aVlS
-----END PGP SIGNATURE-----
--- End Message ---
