[lintian] branch master updated (55f2dfe -> 995a449)

2017-05-11 Thread Paul Wise 
This is an automated email from the git hooks/post-receive script.

pabs pushed a change to branch master
in repository lintian.

  from  55f2dfe   spelling: Add another correction
   new  995a449   spelling: Add another correction

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


Summary of changes:
 data/spelling/corrections | 1 +
 1 file changed, 1 insertion(+)

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/lintian/lintian.git

[lintian] 01/01: spelling: Add another correction

2017-05-11 Thread Paul Wise 
This is an automated email from the git hooks/post-receive script.

pabs pushed a commit to branch master
in repository lintian.

commit 995a449aa5a7f5f8227aa66518ce615f80aa9040
Author: Paul Wise 
Date:   Fri May 12 12:15:35 2017 +0800

spelling: Add another correction
---
 data/spelling/corrections | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/spelling/corrections b/data/spelling/corrections
index 3a75fce..238f929 100644
--- a/data/spelling/corrections
+++ b/data/spelling/corrections
@@ -1297,6 +1297,7 @@ documentaion||documentation
 documentaiton||documentation
 documention||documentation
 documetation||documentation
+documetnation||documentation
 documment||document
 documments||documents
 doens't||doesn't

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/lintian/lintian.git

Processed: Re: Bug#861958: lintian: insecure YAML validation

2017-05-11 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> clone 861958 -1
Bug #861958 [lintian] lintian: insecure YAML validation [CVE-2017-8829]
Bug 861958 cloned as bug 862373
> reassign -1 libyaml-libyaml-perl
Bug #862373 [lintian] lintian: insecure YAML validation [CVE-2017-8829]
Bug reassigned from package 'lintian' to 'libyaml-libyaml-perl'.
No longer marked as found in versions lintian/2.5.41.
Ignoring request to alter fixed versions of bug #862373 to the same values 
previously set
> retitle -1 libyaml-libyaml-perl: Unconditionally instantiates objects from 
> yaml data
Bug #862373 [libyaml-libyaml-perl] lintian: insecure YAML validation 
[CVE-2017-8829]
Changed Bug title to 'libyaml-libyaml-perl: Unconditionally instantiates 
objects from yaml data' from 'lintian: insecure YAML validation 
[CVE-2017-8829]'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
861958: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861958
862373: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862373
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#861958: lintian: insecure YAML validation

2017-05-11 Thread Christoph Biedl 
clone 861958 -1
reassign -1 libyaml-libyaml-perl
retitle -1 libyaml-libyaml-perl: Unconditionally instantiates objects from yaml 
data
thanks

Dominique Dumont wrote...

> On samedi 6 mai 2017 13:01:50 CEST you wrote:

> > This module is happy to deserialize objects of any existing Perl class. For
> > Lintian, the File::Temp::Dir class can be abused to remove arbitrary
> > directory trees. (There might be other exciting ways to exploit this bug,
> > but I'm too lazy to investigate further.)
> 
> I wonder if this behavior should be considered as a YAML bug...

At least I consider the unconditional instantiation of object a bug,
hence cloning.

As previously mentioned in debian-perl@, there is no easy solution,
assuming some code out there intentionally uses that feature, and in
a safe matter. If we choose to ignore that, at least for the time being,
we can disable the blessing entirely by dropping the three sv_bless
invocations in . This makes the attached
reproducer pass.

Before releasing that change however, there should be an audit of all
the roughly 40 packages in Debian that use YAML::XS to avoid unintended
breakage. In the worst case, that simple approach isn't feasible and
the instantiation needs to be made configurable - something that
requires coordination with upstream[1] and/or other distributions.

We should discuss this during the sprint.

Christoph

[1] But see https://github.com/perl11/cperl/issues/198
#!/usr/bin/perl

use 5.010;
use strict;
use warnings;

use File::Temp qw(tempdir);
use YAML::XS qw(LoadFile);

my $temp_dir = tempdir (
"yaml-xs-demo.$$.X",
'TMPDIR' => 1,
'CLEANUP' => 1,
);

my $temp_file = "$temp_dir/story.yaml";

my $pid = fork // die ("Cannot fork: $!");
if ($pid == 0) {
my $fh;
open ($fh, '>', $temp_file) or die $!;
print $fh <<__EOS__;
- !File::Temp::Dir
  CLEANUP: 1
  LAUNCHPID: $$
  REALNAME: $temp_dir
__EOS__
close ($fh);
my $data = LoadFile ($temp_file);
exit 0;
}
wait;

if (-d $temp_dir) {
print "I: Pass, temp dir is still present\n";
} else {
print "F: FAIL, temp dir was purged\n";
}


signature.asc
Description: Digital signature