Bug#861958: lintian: insecure YAML validation
On samedi 6 mai 2017 13:01:50 CEST you wrote:
> Lintian uses the YAML::XS module to validate YAML in
> debian/upstream/metadata.
Unless debian/upstream/metadata needs fancy YAML format (e.g. anchor alias
tags ...), the easiest way out it to use YAML::Tiny instead of YAML::XS. This
should be a drop-in replacement.
> This module is happy to deserialize objects of any existing Perl class. For
> Lintian, the File::Temp::Dir class can be abused to remove arbitrary
> directory trees. (There might be other exciting ways to exploit this bug,
> but I'm too lazy to investigate further.)
I wonder if this behavior should be considered as a YAML bug...
All the best
--
https://github.com/dod38fr/config-model/ -o- http://search.cpan.org/~ddumont/
http://ddumont.wordpress.com/ -o- irc: dod at irc.debian.org
Reply to: