Bug#861958: lintian: insecure YAML validation

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#861958: lintian: insecure YAML validation
From: Jakub Wilk <jwilk@jwilk.net>
Date: Sat, 6 May 2017 13:01:50 +0200
Message-id: <[🔎] 20170506110150.42nyn4eke7k53iwv@jwilk.net>
Reply-to: Jakub Wilk <jwilk@jwilk.net>, 861958@bugs.debian.org

Package: lintian
Version: 2.5.41
Tags: security

Lintian uses the YAML::XS module to validate YAML in debian/upstream/metadata.

This module is happy to deserialize objects of any existing Perl class. ForLintian, the File::Temp::Dir class can be abused to remove arbitrary directorytrees. (There might be other exciting ways to exploit this bug, but I'm toolazy to investigate further.)


I've attached proof-of-concept exploit:

$ mkdir /tmp/moo
$ ls -d /tmp/moo
/tmp/moo
$ lintian -C upstream-metadata badyaml_1.dsc
$ ls -d /tmp/moo
/bin/ls: cannot access '/tmp/moo': No such file or directory

--
Jakub Wilk

Attachment: badyaml_1.tar.xz
Description: application/xz

Format: 3.0 (native)
Source: badyaml
Binary: badyaml
Architecture: all
Version: 1
Package-List:
 badyaml deb unknown unknown arch=all
Checksums-Sha1:
 9838fde8d6dd00bda20dc32ef430cc912e9f96d9 27928 badyaml_1.tar.xz
Checksums-Sha256:
 d06b616c490cceaffeadaeca19e19348e2cc223aa6e1feb27343932d4f75dbf6 27928 badyaml_1.tar.xz
Files:
 936d4f8f7134f8b41c4f67b05dd7b3e0 27928 badyaml_1.tar.xz

Reply to:

Follow-Ups:
- Bug#861958: lintian: insecure YAML validation
  - From: Dominique Dumont <dod@debian.org>

Prev by Date: Cron <lintian@lilburn> lintian/reporting/harness --no-generate-reports -i
Next by Date: Processed: severity of 861958 is grave
Previous by thread: Cron <lintian@lilburn> lintian/reporting/harness --no-generate-reports -i
Next by thread: Bug#861958: lintian: insecure YAML validation
Index(es):
- Date
- Thread