Package: devscripts
Version: 2.18.3
Severity: grave
File: /usr/bin/grep-excuses
Tags: patch security
grep-excuses uses YAML::Syck without telling YAML::Syck to not bless
objects which might lead to running code the author of grep-excuses
might not have intended to run.
The attached patch tells grep-excuses to tell YAML::Syck to not point
a loaded gun towards your foot (even though this might be against the
UNIX philosophy of shooting on feet).
See also #862475.
Ansgar
--- scripts/grep-excuses.pl 2018-03-06 15:42:39.000000000 +0100
+++ /usr/bin/grep-excuses 2018-06-26 09:57:34.499148292 +0200
@@ -32,6 +32,8 @@
eval {
require YAML::Syck;
+ no warnings 'once';
+ $YAML::Syck::LoadBlessed = 0;
};
if ($@) {
