Hello community,
here is the log from the commit of package perl-YAML-LibYAML for
openSUSE:Factory checked in at 2020-01-30 09:37:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-YAML-LibYAML (Old)
and /work/SRC/openSUSE:Factory/.perl-YAML-LibYAML.new.26092 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-YAML-LibYAML"
Thu Jan 30 09:37:54 2020 rev:19 rq:767976 version:0.81
Changes:
--------
--- /work/SRC/openSUSE:Factory/perl-YAML-LibYAML/perl-YAML-LibYAML.changes
2019-09-04 09:02:07.679048360 +0200
+++
/work/SRC/openSUSE:Factory/.perl-YAML-LibYAML.new.26092/perl-YAML-LibYAML.changes
2020-01-30 09:38:31.433397729 +0100
@@ -1,0 +2,10 @@
+Tue Jan 28 03:15:43 UTC 2020 - <timueller+p...@suse.de>
+
+- updated to 0.81
+ see /usr/share/doc/packages/perl-YAML-LibYAML/Changes
+
+ 0.81 Mon 27 Jan 2020 11:05:46 PM CET
+ - Breaking Change: Set $YAML::XS::LoadBlessed default to false to make it
+ more secure
+
+-------------------------------------------------------------------
Old:
----
YAML-LibYAML-0.80.tar.gz
New:
----
YAML-LibYAML-0.81.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ perl-YAML-LibYAML.spec ++++++
--- /var/tmp/diff_new_pack.y0gKjA/_old 2020-01-30 09:38:32.157398117 +0100
+++ /var/tmp/diff_new_pack.y0gKjA/_new 2020-01-30 09:38:32.161398118 +0100
@@ -1,7 +1,7 @@
#
# spec file for package perl-YAML-LibYAML
#
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: perl-YAML-LibYAML
-Version: 0.80
+Version: 0.81
Release: 0
%define cpan_name YAML-LibYAML
Summary: Perl YAML Serialization using XS and libyaml
@@ -37,7 +37,7 @@
%prep
%setup -q -n %{cpan_name}-%{version}
-find . -type f ! -name \*.pl -print0 | xargs -0 chmod 644
+find . -type f ! -path "*/t/*" ! -name "*.pl" ! -path "*/bin/*" ! -path
"*/script/*" ! -name "configure" -print0 | xargs -0 chmod 644
%build
perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}"
++++++ YAML-LibYAML-0.80.tar.gz -> YAML-LibYAML-0.81.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/YAML-LibYAML-0.80/Changes
new/YAML-LibYAML-0.81/Changes
--- old/YAML-LibYAML-0.80/Changes 2019-08-22 13:17:23.000000000 +0200
+++ new/YAML-LibYAML-0.81/Changes 2020-01-27 23:05:56.000000000 +0100
@@ -1,3 +1,7 @@
+0.81 Mon 27 Jan 2020 11:05:46 PM CET
+ - Breaking Change: Set $YAML::XS::LoadBlessed default to false to make it
+ more secure
+
0.80 Thu 22 Aug 2019 01:17:13 PM CEST
- Fix memory leak when loading invalid YAML (PR#93 tinita)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/YAML-LibYAML-0.80/LICENSE
new/YAML-LibYAML-0.81/LICENSE
--- old/YAML-LibYAML-0.80/LICENSE 2019-08-22 13:17:23.000000000 +0200
+++ new/YAML-LibYAML-0.81/LICENSE 2020-01-27 23:05:56.000000000 +0100
@@ -1,4 +1,4 @@
-This software is copyright (c) 2019 by Ingy döt Net.
+This software is copyright (c) 2020 by Ingy döt Net.
This is free software; you can redistribute it and/or modify it under
the same terms as the Perl 5 programming language system itself.
@@ -12,7 +12,7 @@
--- The GNU General Public License, Version 1, February 1989 ---
-This software is Copyright (c) 2019 by Ingy döt Net.
+This software is Copyright (c) 2020 by Ingy döt Net.
This is free software, licensed under:
@@ -272,7 +272,7 @@
--- The Artistic License 1.0 ---
-This software is Copyright (c) 2019 by Ingy döt Net.
+This software is Copyright (c) 2020 by Ingy döt Net.
This is free software, licensed under:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/YAML-LibYAML-0.80/LibYAML/perl_libyaml.c
new/YAML-LibYAML-0.81/LibYAML/perl_libyaml.c
--- old/YAML-LibYAML-0.80/LibYAML/perl_libyaml.c 2019-08-22
13:17:23.000000000 +0200
+++ new/YAML-LibYAML-0.81/LibYAML/perl_libyaml.c 2020-01-27
23:05:56.000000000 +0100
@@ -154,11 +154,11 @@
SvTRUE(GvSV(gv)))
);
- loader.load_blessed = 1;
+ loader.load_blessed = 0;
gv = gv_fetchpv("YAML::XS::LoadBlessed", FALSE, SVt_PV);
if (SvOK(GvSV(gv))) {
- if (! SvTRUE(GvSV(gv))) {
- loader.load_blessed = 0;
+ if (SvTRUE(GvSV(gv))) {
+ loader.load_blessed = 1;
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/YAML-LibYAML-0.80/META.json
new/YAML-LibYAML-0.81/META.json
--- old/YAML-LibYAML-0.80/META.json 2019-08-22 13:17:23.000000000 +0200
+++ new/YAML-LibYAML-0.81/META.json 2020-01-27 23:05:56.000000000 +0100
@@ -55,7 +55,7 @@
"web" : "https://github.com/ingydotnet/yaml-libyaml-pm";
}
},
- "version" : "0.80",
+ "version" : "0.81",
"x_generated_by_perl" : "v5.24.1",
"x_serialization_backend" : "Cpanel::JSON::XS version 4.02"
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/YAML-LibYAML-0.80/META.yml
new/YAML-LibYAML-0.81/META.yml
--- old/YAML-LibYAML-0.80/META.yml 2019-08-22 13:17:23.000000000 +0200
+++ new/YAML-LibYAML-0.81/META.yml 2020-01-27 23:05:56.000000000 +0100
@@ -25,6 +25,6 @@
bugtracker: https://github.com/ingydotnet/yaml-libyaml-pm/issues
homepage: https://github.com/ingydotnet/yaml-libyaml-pm
repository: https://github.com/ingydotnet/yaml-libyaml-pm.git
-version: '0.80'
+version: '0.81'
x_generated_by_perl: v5.24.1
x_serialization_backend: 'YAML::Tiny version 1.73'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/YAML-LibYAML-0.80/Makefile.PL
new/YAML-LibYAML-0.81/Makefile.PL
--- old/YAML-LibYAML-0.80/Makefile.PL 2019-08-22 13:17:23.000000000 +0200
+++ new/YAML-LibYAML-0.81/Makefile.PL 2020-01-27 23:05:56.000000000 +0100
@@ -20,7 +20,7 @@
"TEST_REQUIRES" => {
"Test::More" => "0.88"
},
- "VERSION" => "0.80",
+ "VERSION" => "0.81",
"test" => {
"TESTS" => "t/*.t"
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/YAML-LibYAML-0.80/README new/YAML-LibYAML-0.81/README
--- old/YAML-LibYAML-0.80/README 2019-08-22 13:17:23.000000000 +0200
+++ new/YAML-LibYAML-0.81/README 2020-01-27 23:05:56.000000000 +0100
@@ -26,7 +26,9 @@
$YAML::XS::LoadBlessed (since v0.69)
- Default: true. The default might be changed to false in the future.
+ Default: false.
+
+ The default was changed in version 0.81.
When set to false, it will not bless data into objects, which can be
a security problem, when loading YAML from an untrusted source. It
@@ -41,6 +43,12 @@
perl: !!perl/hash:Foo::Bar { a: 1 }
regex: !!perl/regexp:Foo::Bar pattern
+ You can create any kind of object with YAML. The creation itself is
+ not the critical part. If the class has a DESTROY method, it will be
+ called once the object is deleted. An example with File::Temp
+ removing files can be found at
+ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862373
+
$YAML::XS::UseCode
$YAML::XS::DumpCode
@@ -139,7 +147,7 @@
COPYRIGHT AND LICENSE
- Copyright 2007-2019. Ingy döt Net.
+ Copyright 2007-2020. Ingy döt Net.
This program is free software; you can redistribute it and/or modify it
under the same terms as Perl itself.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/YAML-LibYAML-0.80/lib/YAML/LibYAML.pm
new/YAML-LibYAML-0.81/lib/YAML/LibYAML.pm
--- old/YAML-LibYAML-0.80/lib/YAML/LibYAML.pm 2019-08-22 13:17:23.000000000
+0200
+++ new/YAML-LibYAML-0.81/lib/YAML/LibYAML.pm 2020-01-27 23:05:56.000000000
+0100
@@ -1,6 +1,6 @@
use strict; use warnings;
package YAML::LibYAML;
-our $VERSION = '0.80';
+our $VERSION = '0.81';
sub import {
die "YAML::LibYAML has been renamed to YAML::XS. Please use YAML::XS
instead.";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/YAML-LibYAML-0.80/lib/YAML/LibYAML.pod
new/YAML-LibYAML-0.81/lib/YAML/LibYAML.pod
--- old/YAML-LibYAML-0.80/lib/YAML/LibYAML.pod 2019-08-22 13:17:23.000000000
+0200
+++ new/YAML-LibYAML-0.81/lib/YAML/LibYAML.pod 2020-01-27 23:05:56.000000000
+0100
@@ -22,7 +22,7 @@
=head1 COPYRIGHT AND LICENSE
-Copyright 2007-2019. Ingy döt Net.
+Copyright 2007-2020. Ingy döt Net.
This program is free software; you can redistribute it and/or modify it under
the same terms as Perl itself.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/YAML-LibYAML-0.80/lib/YAML/XS.pm
new/YAML-LibYAML-0.81/lib/YAML/XS.pm
--- old/YAML-LibYAML-0.80/lib/YAML/XS.pm 2019-08-22 13:17:23.000000000
+0200
+++ new/YAML-LibYAML-0.81/lib/YAML/XS.pm 2020-01-27 23:05:56.000000000
+0100
@@ -1,7 +1,7 @@
use strict; use warnings;
package YAML::XS;
-our $VERSION = '0.80';
+our $VERSION = '0.81';
use base 'Exporter';
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/YAML-LibYAML-0.80/lib/YAML/XS.pod
new/YAML-LibYAML-0.81/lib/YAML/XS.pod
--- old/YAML-LibYAML-0.80/lib/YAML/XS.pod 2019-08-22 13:17:23.000000000
+0200
+++ new/YAML-LibYAML-0.81/lib/YAML/XS.pod 2020-01-27 23:05:56.000000000
+0100
@@ -39,7 +39,9 @@
=item C<$YAML::XS::LoadBlessed> (since v0.69)
-Default: true. The default might be changed to false in the future.
+Default: false.
+
+The default was changed in version 0.81.
When set to false, it will not bless data into objects, which can be a
security problem, when loading YAML from an untrusted source. It will silently
@@ -54,6 +56,11 @@
perl: !!perl/hash:Foo::Bar { a: 1 }
regex: !!perl/regexp:Foo::Bar pattern
+You can create any kind of object with YAML. The creation itself is not the
+critical part. If the class has a C<DESTROY> method, it will be called once
+the object is deleted. An example with File::Temp removing files can be found
+at L<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862373>
+
=item C<$YAML::XS::UseCode>
@@ -156,7 +163,7 @@
=head1 COPYRIGHT AND LICENSE
-Copyright 2007-2019. Ingy döt Net.
+Copyright 2007-2020. Ingy döt Net.
This program is free software; you can redistribute it and/or modify it under
the same terms as Perl itself.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/YAML-LibYAML-0.80/t/blessed.t
new/YAML-LibYAML-0.81/t/blessed.t
--- old/YAML-LibYAML-0.80/t/blessed.t 2019-08-22 13:17:23.000000000 +0200
+++ new/YAML-LibYAML-0.81/t/blessed.t 2020-01-27 23:05:56.000000000 +0100
@@ -1,6 +1,12 @@
use FindBin '$Bin';
use lib $Bin;
-use TestYAMLTests tests => 10;
+use TestYAMLTests tests => 11;
+use YAML::XS ();
+
+my $unblessed = YAML::XS::Load('!!perl/array:Foo [23]');
+is(ref $unblessed, 'ARRAY', "No objects by default");
+
+$YAML::XS::LoadBlessed = 1;
filters {
perl => 'eval',
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/YAML-LibYAML-0.80/t/leak.t
new/YAML-LibYAML-0.81/t/leak.t
--- old/YAML-LibYAML-0.80/t/leak.t 2019-08-22 13:17:23.000000000 +0200
+++ new/YAML-LibYAML-0.81/t/leak.t 2020-01-27 23:05:56.000000000 +0100
@@ -1,6 +1,7 @@
use FindBin '$Bin';
use lib $Bin;
use TestYAMLTests tests => ( 3 * ( 5 * 5 + 3 ) );
+$YAML::XS::LoadBlessed = 1;
use Scalar::Util qw(weaken);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/YAML-LibYAML-0.80/t/load-blessed.t
new/YAML-LibYAML-0.81/t/load-blessed.t
--- old/YAML-LibYAML-0.80/t/load-blessed.t 2019-08-22 13:17:23.000000000
+0200
+++ new/YAML-LibYAML-0.81/t/load-blessed.t 2020-01-27 23:05:56.000000000
+0100
@@ -1,6 +1,7 @@
use FindBin '$Bin';
use lib $Bin;
use TestYAMLTests tests => 15;
+$YAML::XS::LoadBlessed = 1;
my $yaml = <<"EOM";
local_array: !Foo::Bar [a]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/YAML-LibYAML-0.80/t/private.t
new/YAML-LibYAML-0.81/t/private.t
--- old/YAML-LibYAML-0.80/t/private.t 2019-08-22 13:17:23.000000000 +0200
+++ new/YAML-LibYAML-0.81/t/private.t 2020-01-27 23:05:56.000000000 +0100
@@ -1,6 +1,7 @@
use FindBin '$Bin';
use lib $Bin;
use TestYAMLTests tests => 6;
+$YAML::XS::LoadBlessed = 1;
my $a = Load(<<'...');
---
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/YAML-LibYAML-0.80/t/regexp.t
new/YAML-LibYAML-0.81/t/regexp.t
--- old/YAML-LibYAML-0.80/t/regexp.t 2019-08-22 13:17:23.000000000 +0200
+++ new/YAML-LibYAML-0.81/t/regexp.t 2020-01-27 23:05:56.000000000 +0100
@@ -2,6 +2,7 @@
use lib $Bin;
use TestYAMLTests tests => 19;
use Devel::Peek();
+$YAML::XS::LoadBlessed = 1;
my $rx1 = qr/5050/;
my $yaml1 = Dump $rx1;
