Your message dated Wed, 29 Jan 2020 12:04:29 +0000
with message-id <[email protected]>
and subject line Bug#862475: fixed in libyaml-syck-perl 1.32-1
has caused the Debian Bug report #862475,
regarding libyaml-syck-perl: Unconditionally instantiates objects from yaml data
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
862475: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862475
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: lintian
Version: 2.5.41
Tags: security
Lintian uses the YAML::XS module to validate YAML in debian/upstream/metadata.
This module is happy to deserialize objects of any existing Perl class. For
Lintian, the File::Temp::Dir class can be abused to remove arbitrary directory
trees. (There might be other exciting ways to exploit this bug, but I'm too
lazy to investigate further.)
I've attached proof-of-concept exploit:
$ mkdir /tmp/moo
$ ls -d /tmp/moo
/tmp/moo
$ lintian -C upstream-metadata badyaml_1.dsc
$ ls -d /tmp/moo
/bin/ls: cannot access '/tmp/moo': No such file or directory
--
Jakub Wilk
badyaml_1.tar.xz
Description: application/xz
Format: 3.0 (native)
Source: badyaml
Binary: badyaml
Architecture: all
Version: 1
Package-List:
badyaml deb unknown unknown arch=all
Checksums-Sha1:
9838fde8d6dd00bda20dc32ef430cc912e9f96d9 27928 badyaml_1.tar.xz
Checksums-Sha256:
d06b616c490cceaffeadaeca19e19348e2cc223aa6e1feb27343932d4f75dbf6 27928
badyaml_1.tar.xz
Files:
936d4f8f7134f8b41c4f67b05dd7b3e0 27928 badyaml_1.tar.xz
--- End Message ---
--- Begin Message ---
Source: libyaml-syck-perl
Source-Version: 1.32-1
We believe that the bug you reported is fixed in the latest version of
libyaml-syck-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated libyaml-syck-perl
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 29 Jan 2020 12:40:26 +0100
Source: libyaml-syck-perl
Architecture: source
Version: 1.32-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 862475
Changes:
libyaml-syck-perl (1.32-1) unstable; urgency=medium
.
* Import upstream version 1.32.
Fixes "Unconditionally instantiates objects from yaml data"
(Closes: #862475)
* Add a debian/NEWS entry about the changed default for
$YAML::Syck::LoadBlessed.
* Update years of packaging copyright.
* Declare compliance with Debian Policy 4.5.0.
* Update Build-Depends for cross builds.
* Annotate test-only build dependencies with <!nocheck>.
* Bump debhelper-compat to 12.
* debian/watch: use uscan version 4.
* Set upstream metadata fields: Bug-Submit.
* Remove obsolete fields Contact, Name from debian/upstream/metadata.
Checksums-Sha1:
bc1aad30ec766fc227b96aec8d896fe88d23b35e 2414 libyaml-syck-perl_1.32-1.dsc
1e2fa78bc1a21d7c8b2724d8ba62547376629ae4 140069
libyaml-syck-perl_1.32.orig.tar.gz
de558015f502edd11c475dfefeba32c1522b4f1a 6028
libyaml-syck-perl_1.32-1.debian.tar.xz
Checksums-Sha256:
9cf46784b154a748d8a2ca8659b53e88a14e62e23e56fb71096cf00dafb591aa 2414
libyaml-syck-perl_1.32-1.dsc
db1d90ec03e0466e134e6032d03eaf73a7305631bcdbbfd8fe5356bd77cae9bb 140069
libyaml-syck-perl_1.32.orig.tar.gz
bf1be66432a586df88131eba9bc5c51987071029cbf462d649080b9897016c95 6028
libyaml-syck-perl_1.32-1.debian.tar.xz
Files:
f5df24b69a23079b1f5a68d2f5c811be 2414 perl optional
libyaml-syck-perl_1.32-1.dsc
4d76594ccb19541610f82779071695c6 140069 perl optional
libyaml-syck-perl_1.32.orig.tar.gz
9a840c0822aee1724af965017bbfc6f3 6028 perl optional
libyaml-syck-perl_1.32-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAl4xb8VfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgZGRxAAmC5csZWsAwIebO7936GZQTnShfktqkvNo6Lq3VhFY3KZlr0n+oxUL1g2
Yin5Wcv4t93emtdtTyNTTsqj0m+Odr0t7SXxcr7FfUU12OhQZ3oGVRAHNNsliNE1
p3ZetGd+rH150g3GVwWGZOp27OhHFA9LHnQIYzFnR9cYbrVa5ftTLebTyI/gFwiC
U/Rv74Ro+sieYNNERvaE5tFU8AWAdDfZRtnxE4+Zoqe7TYLta0RkzYar5T+rtviY
X0PTYXE34bP0u8YUfGxqsd2atVz3prOsb4tSpdlPI5FiwLO9nhabTfLEMerGO10t
YCFwnDZntEvIfNxFfoM1m3tPX1bvwPtTO83FcFmseHSlt0Mj0Rog1565F89aNHsl
lXSm1+WHmfSvNZRAI+PMQIfff5gf2T3px5COvlyk04hjqfwdeIm6mIM4h1EF5L9f
5Bw4p7m+AXq38gpnmVFG9iRIXlH4K3cUaFNezKxaeW88hRY7j/LO+B5aEylfLKDW
BSzNEn+NkFscP6v5Nrq7T/guR+9jSS4VRpTfk/HaeBZeP5IpGNJH2S3Oy4WYDaqk
lF/9ZteQ4vb7690q4Av090rYpCNwJ7gtUAgakJQY2j6YH/ZKQrHu6WojNdqo9bXF
gJQxtVLBZczU+IA5nzTdfjMJemjh+bKLUMI+oLNrB55Mnc1voqM=
=NeYk
-----END PGP SIGNATURE-----
--- End Message ---
