[lintian] 02/04: upstream-metadata: Disable YAML parsing [CVE-2017-8829]
This is an automated email from the git hooks/post-receive script.
nthykier pushed a commit to branch stretch
in repository lintian.
commit 0a2f38ecbc70d34a4b77c93a030555b310bd34ff
Author: Niels Thykier <niels@thykier.net>
Date: Sat Jun 3 09:14:15 2017 +0000
upstream-metadata: Disable YAML parsing [CVE-2017-8829]
Disable the parsing of the "debian/upstream/metadata" file as our
current parser (YAML::XS) suffers from arbitrary code execution bugs.
Given the short time left until the release, lets disable the code
path and figure out what to do with it for buster.
---
checks/upstream-metadata.pm | 1 +
debian/changelog | 4 ++++
t/tests/upstream-metadata-invalid-yml/skip | 1 +
3 files changed, 6 insertions(+)
diff --git a/checks/upstream-metadata.pm b/checks/upstream-metadata.pm
index 08798db..5826f36 100644
--- a/checks/upstream-metadata.pm
+++ b/checks/upstream-metadata.pm
@@ -34,6 +34,7 @@ sub run {
if ($yamlfile->is_open_ok) {
my $yaml;
+ return if 1; # YAML::XS executes code
eval { $yaml = YAML::XS::LoadFile($yamlfile->fs_path); };
if (!$yaml) {
my $msg;
diff --git a/debian/changelog b/debian/changelog
index b220ffb..f0602e5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,9 @@
lintian (2.5.50.4) UNRELEASED; urgency=medium
+ * checks/upstream-metadata.pm:
+ + [JW, NT] Disable YAML parsing of upstream metadata file as the YAML
+ parser executes code. (Closes: #861958, CVE-2017-8829)
+
* t/*:
+ [NT] Update tests to fix FTBFS caused by dpkg-source now ignoring
debian/files by default. (Closes: #863020)
diff --git a/t/tests/upstream-metadata-invalid-yml/skip b/t/tests/upstream-metadata-invalid-yml/skip
new file mode 100644
index 0000000..d623a2b
--- /dev/null
+++ b/t/tests/upstream-metadata-invalid-yml/skip
@@ -0,0 +1 @@
+YAML::XS executes code by default and code has not been converted
\ No newline at end of file
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git
Reply to: