Package: devscripts Version: 2.18.3 Severity: grave File: /usr/bin/grep-excuses Tags: patch security
grep-excuses uses YAML::Syck without telling YAML::Syck to not bless objects which might lead to running code the author of grep-excuses might not have intended to run. The attached patch tells grep-excuses to tell YAML::Syck to not point a loaded gun towards your foot (even though this might be against the UNIX philosophy of shooting on feet). See also #862475. Ansgar
--- scripts/grep-excuses.pl 2018-03-06 15:42:39.000000000 +0100 +++ /usr/bin/grep-excuses 2018-06-26 09:57:34.499148292 +0200 @@ -32,6 +32,8 @@ eval { require YAML::Syck; + no warnings 'once'; + $YAML::Syck::LoadBlessed = 0; }; if ($@) {