Bug#861958: lintian: insecure YAML validation

To: Jakub Wilk <jwilk@jwilk.net>, 861958@bugs.debian.org
Subject: Bug#861958: lintian: insecure YAML validation
From: Dominique Dumont <dod@debian.org>
Date: Sat, 06 May 2017 19:29:46 +0200
Message-id: <[🔎] 1693004.z8u8pRTgeh@gandalf>
Reply-to: Dominique Dumont <dod@debian.org>, 861958@bugs.debian.org
In-reply-to: <[🔎] 20170506110150.42nyn4eke7k53iwv@jwilk.net>
References: <[🔎] 20170506110150.42nyn4eke7k53iwv@jwilk.net>

On samedi 6 mai 2017 13:01:50 CEST you wrote:
> Lintian uses the YAML::XS module to validate YAML in
> debian/upstream/metadata.

Unless debian/upstream/metadata needs fancy YAML format (e.g. anchor alias 
tags ...), the easiest way out it to use YAML::Tiny instead of YAML::XS. This 
should be a drop-in replacement.

> This module is happy to deserialize objects of any existing Perl class. For
> Lintian, the File::Temp::Dir class can be abused to remove arbitrary
> directory trees. (There might be other exciting ways to exploit this bug,
> but I'm too lazy to investigate further.)

I wonder if this behavior should be considered as a YAML bug...

All the best
-- 
https://github.com/dod38fr/config-model/ -o- http://search.cpan.org/~ddumont/
    http://ddumont.wordpress.com/        -o-   irc: dod at irc.debian.org

Reply to:

Follow-Ups:
- Bug#861958: lintian: insecure YAML validation
  - From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
- Bug#861958: lintian: insecure YAML validation
  - From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>

References:
- Bug#861958: lintian: insecure YAML validation
  - From: Jakub Wilk <jwilk@jwilk.net>

Prev by Date: Processed: tagging 861958
Next by Date: [lintian] 01/01: spelling: Add one more correction
Previous by thread: Bug#861958: lintian: insecure YAML validation
Next by thread: Bug#861958: lintian: insecure YAML validation
Index(es):
- Date
- Thread