[lintian] 01/01: upstream-metadata: Disable YAML parsing [CVE-2017-8829]
This is an automated email from the git hooks/post-receive script.
nthykier pushed a commit to branch master
in repository lintian.
commit 6119d49c3b5ad0c18e393e5d6c7268189b77455a
Author: Niels Thykier <niels@thykier.net>
Date:   Sat Jun 3 09:14:15 2017 +0000
    upstream-metadata: Disable YAML parsing [CVE-2017-8829]
    
    Disable the parsing of the "debian/upstream/metadata" file as our
    current parser (YAML::XS) suffers from arbitrary code execution bugs.
    Given the short time left until the release, lets disable the code
    path and figure out what to do with it for buster.
---
 checks/upstream-metadata.pm                | 1 +
 debian/changelog                           | 3 +++
 t/tests/upstream-metadata-invalid-yml/skip | 1 +
 3 files changed, 5 insertions(+)
diff --git a/checks/upstream-metadata.pm b/checks/upstream-metadata.pm
index 08798db..5826f36 100644
--- a/checks/upstream-metadata.pm
+++ b/checks/upstream-metadata.pm
@@ -34,6 +34,7 @@ sub run {
 
     if ($yamlfile->is_open_ok) {
         my $yaml;
+        return if 1; # YAML::XS executes code
         eval { $yaml = YAML::XS::LoadFile($yamlfile->fs_path); };
         if (!$yaml) {
             my $msg;
diff --git a/debian/changelog b/debian/changelog
index eaf7331..a52a059 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -83,6 +83,9 @@ lintian (2.5.51) UNRELEASED; urgency=medium
       Ian Jackson for reporting the issue.  (Closes: #849880)
   * checks/triggers.{desc,pm}:
     + [NT] New check.  (Closes: #698723)
+  * checks/upstream-metadata.pm:
+    + [JW, NT] Disable YAML parsing of upstream metadata file as the YAML
+      parser executes code.  (Closes: #861958, CVE-2017-8829)
 
   * coll/debian-readme{,desc}:
     + [NT] Remove.  Merge what little functionality it offers into the
diff --git a/t/tests/upstream-metadata-invalid-yml/skip b/t/tests/upstream-metadata-invalid-yml/skip
new file mode 100644
index 0000000..d623a2b
--- /dev/null
+++ b/t/tests/upstream-metadata-invalid-yml/skip
@@ -0,0 +1 @@
+YAML::XS executes code by default and code has not been converted
\ No newline at end of file
-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git
Reply to: