On Fri, 13 Dec 2019 14:23:46 +0100 Andrej Shadura <[email protected]> wrote: > As a temporary workaround, I patched the locally used version to use > YAML::XS, but as I see you won?t accept this patch upstream. Is there a > solution that would satisfy both conditions of how having security > issues and supporting proper YAML?
YAML::XS security issues has been fixed upstream. Now Config::Model::Backend::Yaml uses YAML:XS That said, YAML input and output is used in several places in libconfig-model- dpkg-perl. I fail to see your use case which involves debian/copyright in YAML format. Could you provide more details on your use case ? > By the way, what are those security > issues and how serious and relevant to scan-copyrights are they? YAML specification allows serialisation of Perl object, which means its destructor is invoked when this object is destroyed. Since the yaml data that may contain a Perl object may comes from untrusted package source, this was a security issue (albeit quite far fetched). Anyway, YAML::XS now has a switch to disable object creation when loading YAML. See https://github.com/ingydotnet/yaml-libyaml-pm/issues/45 for more details.

