[lintian] 01/01: upstream-metadata: Disable YAML parsing [CVE-2017-8829]
This is an automated email from the git hooks/post-receive script.
nthykier pushed a commit to branch master
in repository lintian.
commit 6119d49c3b5ad0c18e393e5d6c7268189b77455a
Author: Niels Thykier <niels@thykier.net>
Date: Sat Jun 3 09:14:15 2017 +0000
upstream-metadata: Disable YAML parsing [CVE-2017-8829]
Disable the parsing of the "debian/upstream/metadata" file as our
current parser (YAML::XS) suffers from arbitrary code execution bugs.
Given the short time left until the release, lets disable the code
path and figure out what to do with it for buster.
---
checks/upstream-metadata.pm | 1 +
debian/changelog | 3 +++
t/tests/upstream-metadata-invalid-yml/skip | 1 +
3 files changed, 5 insertions(+)
diff --git a/checks/upstream-metadata.pm b/checks/upstream-metadata.pm
index 08798db..5826f36 100644
--- a/checks/upstream-metadata.pm
+++ b/checks/upstream-metadata.pm
@@ -34,6 +34,7 @@ sub run {
if ($yamlfile->is_open_ok) {
my $yaml;
+ return if 1; # YAML::XS executes code
eval { $yaml = YAML::XS::LoadFile($yamlfile->fs_path); };
if (!$yaml) {
my $msg;
diff --git a/debian/changelog b/debian/changelog
index eaf7331..a52a059 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -83,6 +83,9 @@ lintian (2.5.51) UNRELEASED; urgency=medium
Ian Jackson for reporting the issue. (Closes: #849880)
* checks/triggers.{desc,pm}:
+ [NT] New check. (Closes: #698723)
+ * checks/upstream-metadata.pm:
+ + [JW, NT] Disable YAML parsing of upstream metadata file as the YAML
+ parser executes code. (Closes: #861958, CVE-2017-8829)
* coll/debian-readme{,desc}:
+ [NT] Remove. Merge what little functionality it offers into the
diff --git a/t/tests/upstream-metadata-invalid-yml/skip b/t/tests/upstream-metadata-invalid-yml/skip
new file mode 100644
index 0000000..d623a2b
--- /dev/null
+++ b/t/tests/upstream-metadata-invalid-yml/skip
@@ -0,0 +1 @@
+YAML::XS executes code by default and code has not been converted
\ No newline at end of file
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git
Reply to: