[lintian] 01/01: Re-enable YAML parsing of upstream metadata which was disabled in 2.5.51 (via #861958) to close CVE-2017-8829 as we can now use the $LoadBlessed option of YAML:XS. (Closes: #894747)

Tue, 03 Apr 2018 14:34:06 -0700 

This is an automated email from the git hooks/post-receive script.

lamby pushed a commit to branch master
in repository lintian.

commit fd55f0d4df464b05446573768ac7826530d3c308
Author: Chris Lamb <[email protected]>
Date:   Tue Apr 3 22:31:47 2018 +0100

    Re-enable YAML parsing of upstream metadata which was disabled in 2.5.51 
(via #861958) to close CVE-2017-8829 as we can now use the $LoadBlessed option 
of YAML:XS. (Closes: #894747)
---
 checks/upstream-metadata.pm                | 3 ++-
 debian/changelog                           | 5 +++++
 t/tests/upstream-metadata-invalid-yml/skip | 1 -
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/checks/upstream-metadata.pm b/checks/upstream-metadata.pm
index c9d347b..4e2da86 100644
--- a/checks/upstream-metadata.pm
+++ b/checks/upstream-metadata.pm
@@ -27,6 +27,8 @@ use Lintian::Tags qw(tag);
 
 use YAML::XS;
 
+$YAML::XS::LoadBlessed = 0;
+
 sub run {
     my (undef, undef, $info) = @_;
     my $yamlfile = $info->index_resolved_path('debian/upstream/metadata');
@@ -38,7 +40,6 @@ sub run {
 
     if ($yamlfile->is_open_ok) {
         my $yaml;
-        return if 1; # YAML::XS executes code
         eval { $yaml = YAML::XS::LoadFile($yamlfile->fs_path); };
         if (!$yaml) {
             my $msg;
diff --git a/debian/changelog b/debian/changelog
index 302dc51..c3017c1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -27,6 +27,11 @@ lintian (2.5.81) UNRELEASED; urgency=medium
     + [CL] Apply patch from Thomas Dallmair to avoid false positives in the
       udev-rule-missing-subsystem tag when SUBSYSTEM GOTO is not the last
       "GOTO" statement.  Thanks!  (Closes: #894356)
+  * checks/upstream-metadata.pm:
+    + Re-enable YAML parsing of upstream metadata which was disabled in
+      2.5.51 (via #861958) to close CVE-2017-8829 as we can now use the
+      $LoadBlessed option of YAML:XS. Thanks to Dylan Aïssi for the report.
+      (Closes: #894747)
 
   * lib/Lintian/Check.pm:
     + [CL] Avoid false positives in spelling detection by allowing "(s)"
diff --git a/t/tests/upstream-metadata-invalid-yml/skip 
b/t/tests/upstream-metadata-invalid-yml/skip
deleted file mode 100644
index d623a2b..0000000
--- a/t/tests/upstream-metadata-invalid-yml/skip
+++ /dev/null
@@ -1 +0,0 @@
-YAML::XS executes code by default and code has not been converted
\ No newline at end of file

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/lintian/lintian.git

Reply via email to