[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#861958: lintian: insecure YAML validation



On samedi 6 mai 2017 13:01:50 CEST you wrote:
> Lintian uses the YAML::XS module to validate YAML in
> debian/upstream/metadata.

Unless debian/upstream/metadata needs fancy YAML format (e.g. anchor alias 
tags ...), the easiest way out it to use YAML::Tiny instead of YAML::XS. This 
should be a drop-in replacement.

> This module is happy to deserialize objects of any existing Perl class. For
> Lintian, the File::Temp::Dir class can be abused to remove arbitrary
> directory trees. (There might be other exciting ways to exploit this bug,
> but I'm too lazy to investigate further.)

I wonder if this behavior should be considered as a YAML bug...

All the best
-- 
https://github.com/dod38fr/config-model/ -o- http://search.cpan.org/~ddumont/
    http://ddumont.wordpress.com/        -o-   irc: dod at irc.debian.org


Reply to: