Your message dated Mon, 03 Sep 2018 21:04:11 +0000 with message-id <e1fww15-0001hl...@fasolo.debian.org> and subject line Bug#902409: fixed in devscripts 2.18.4 has caused the Debian Bug report #902409, regarding devscripts: CVE-2018-13043 - grep-excuses uses YAML::Syck in a unsafe way to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 902409: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902409 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: devscripts Version: 2.18.3 Severity: grave File: /usr/bin/grep-excuses Tags: patch security grep-excuses uses YAML::Syck without telling YAML::Syck to not bless objects which might lead to running code the author of grep-excuses might not have intended to run. The attached patch tells grep-excuses to tell YAML::Syck to not point a loaded gun towards your foot (even though this might be against the UNIX philosophy of shooting on feet). See also #862475. Ansgar--- scripts/grep-excuses.pl 2018-03-06 15:42:39.000000000 +0100 +++ /usr/bin/grep-excuses 2018-06-26 09:57:34.499148292 +0200 @@ -32,6 +32,8 @@ eval { require YAML::Syck; + no warnings 'once'; + $YAML::Syck::LoadBlessed = 0; }; if ($@) {
--- End Message ---
--- Begin Message ---Source: devscripts Source-Version: 2.18.4 We believe that the bug you reported is fixed in the latest version of devscripts, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 902...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mattia Rizzolo <mat...@debian.org> (supplier of updated devscripts package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 03 Sep 2018 22:30:44 +0200 Source: devscripts Binary: devscripts Architecture: source Version: 2.18.4 Distribution: unstable Urgency: medium Maintainer: Devscripts Maintainers <devscri...@packages.debian.org> Changed-By: Mattia Rizzolo <mat...@debian.org> Description: devscripts - scripts to make the life of a Debian Package maintainer easier Closes: 895209 895279 900703 900963 902409 902815 902842 903479 903482 904432 904578 904659 907683 Changes: devscripts (2.18.4) unstable; urgency=medium . [ Mattia Rizzolo ] * debchange: + Replace implicit boolean evaluation of a Dpkg::Version object by Dpkg::Version::is_valid(). Closes: #900703 * bts: + Add the new 'ftbfs' tag to the list of known tags. Closes: #900963 * grep-excuses: + Avoid unintended blessing during YAML loading. Thanks to Ansgar Burchardt <ans...@debian.org> for reporting and providing a patch. Closes: #902409; CVE-2018-13043 * uscan: + Remove wrong information about GitHub releases. Closes: #902842 * test/test_uscan_ftp: + Skip test on hurd-i386, hurd is missing a required feature. MR: !23 * test/pylint: + Temporarily disable the test, as pylist is currently uninstallable, see #902631. * debian/control: + Comment-out build-dependency on pylint3. + Bump Standards-Version to 4.2.1, no changes needed. . [ Shengjing Zhu ] * uscan: + Fix wrong git log command in manpage. MR:!16 . [ Simon McVittie ] * tests/test_package_lifecycle: + Don't load ~/.devscripts while calling debdiff. MR: !17 * sadt: + Implement new restrictions from autopkgtest git master. MR: !18 - 'flaky': if this test fails, the failure is logged but is not counted as a failure. - 'skippable': if this test exits 77, it counts as skipped, not failed (even if it wrote to stderr). * uscan: + Handle absolute USCAN_DESTDIR correctly in git mode. Closes: #895279; MR: !14 . [ Sean Whitton ] * git-deborig: MR !19 + When suggesting the user run git-deborig again with more arguments, include all the arguments the user originally passed in the suggestion. . [ James McCoy ] * grep-excuses: + Strip all HTML tags, not just anchors, from excuses. MR !20 * debsnap: + Disable explicit validity checking in Dpkg::Version constructor so there's an actual object to call is_valid() on. Closes: #903479 . [ Ian Jackson ] * grep-excuses: + Add --autopkgtest option to show autopkgtest failures in the target package which are caused by new versions of other packages. MR !21 . [ Lev Lazinskiy ] * uscan: + Handle --copy argument. Closes: #895209; MR !22 . [ Translation updates ] * French, thanks to jean-pierre giraud. Closes: #902815 . [ Kees Cook ] * hardening-check: + Drain both stdout/stderr while waiting for readelf to exit to prevent readelf from getting blocked on a full pipe. Closes: #903482 . [ Christoph Berg ] * namecheck: Drop code.google.com, it's down. . [ Adam D. Barratt ] * bts: + Support fetching bugs from debbugs.gnu.org: Closes: #904432 - Force CGI URL to be "/cgi/" rather than "/cgi-bin/" when using the gnu.org server. - Match both "/cgi/" and "/cgi-bin/" when rewriting URLs in cache files. - Allow links to mbox files to contain additional HTML attributes. + Pre-emptively support HTTPS URLs when parsing release-critical pages. + Really use HTTPS by default for bugs.debian.org. . [ Guillem Jover ] * debsnap: + Switch to HTTPS for connections to snapshot.debian.org. Closes: #904659 . [ Agustin Henze ] * uscan: + Use stricter match to find href attribute to avoid invalid URLs. Closes: #904578; MR !25 . [ Jakub Wilk ] * rmadison: + Fix error handling to avoid having all curl/wget errors to be treated as SSL errors. Closes: #907683 . [ Javi Sabalete ] * debcommit: + Always use annotate tags with git. MR: !24 Checksums-Sha1: 19a354f820e82c1108e409c628445774f714b0f3 2725 devscripts_2.18.4.dsc 262fe4dad54741a302452f0d47178d26f8a5de3a 740128 devscripts_2.18.4.tar.xz 6a84efc05491fe9d3bd962108d4a5e441ffbef7c 10541 devscripts_2.18.4_amd64.buildinfo Checksums-Sha256: 7891c524d25daaf7b48f9bdb5c41b10c92e5c1fb3d86df8d10503950011d3b6b 2725 devscripts_2.18.4.dsc fcdbac262a2caa9e522cd762bb98b891e324001e70fee2b37083ff1be41faa3d 740128 devscripts_2.18.4.tar.xz 3b1fa17c4d98eaf22915517cd1e0f6840e95ee537cb47d05dac584fba4033d8a 10541 devscripts_2.18.4_amd64.buildinfo Files: 1230febc4abbff39122bee4a3164bcb8 2725 devel optional devscripts_2.18.4.dsc ad0e98b60026b311b174c3a13bf9a3c4 740128 devel optional devscripts_2.18.4.tar.xz 01cc2da0a3f638ca1d3e50f59fe8b403 10541 devel optional devscripts_2.18.4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAluNnJcACgkQCBa54Yx2 K607jRAApSYcQ0w7/IpnXteUSCZaSM3nS0MLvackGoKkGV+MeJIOGcjlQuxfdmmA N9ielWWxwX7jtfx72Or83HUwlFAR3uzOlRLrUCuH/OQ60mPov/+QEl+33662nM6M bHbdqYY+Rjx2SwdHnTXOi23ptxMTnJJGUx7uPGUAKKwTEqMpgGm67p+t0oeIPGx/ sOGrW/fXjsqak3XGXFJ4pNg8+dX00LxnlA+2Ntx0cF/LD5srZ6qPP4tkerpw/N5T NJOK0mG6z9s2c24XwtEncQf5/yRv7eNWgNA7DBIYhoxXRXPCLdAojXGJENMTgk/v Hp2k5X0Kt+OBdNK0W4mZ3WiirqfnfuMgG/TIXXuVn45wEGfS/xh6gVVD4neZWAcF K8ReRYC9tu6wzJIh4EBaUHk0bDO14Gpp8nvCCe9H1Ri0jUAe38bLFNF4c0X9aiSw YdsxEzKlwy/74r2Pm82Kv6XXqmFnbAMS7n9KyPTzbBQ6RN7rsv9Zbq44Pisg+Y/r AU0tC2aKTXhTSQSnQxfiyaaYTSNfocWSePDs5pTPM+2goy1C7KHkcW7pnONEXfIM 4iCIUpHy2yuASs1y541pBK+HJeoVg37+Bip9C5tHdy9I+APjzx/qVmJWvHR+LUML 4ah09Fup41ObviEK39VTVZK8pq+BCxn767G2BvwU0kEElSrXDGA= =MIjG -----END PGP SIGNATURE-----
--- End Message ---
