[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#861958: marked as done (lintian: insecure YAML validation [CVE-2017-8829])



Your message dated Sat, 03 Jun 2017 17:04:11 +0000
with message-id <E1dHCTD-000Ddj-6z@fasolo.debian.org>
and subject line Bug#861958: fixed in lintian 2.5.50.4
has caused the Debian Bug report #861958,
regarding lintian: insecure YAML validation [CVE-2017-8829]
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
861958: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861958
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: lintian
Version: 2.5.41
Tags: security

Lintian uses the YAML::XS module to validate YAML in debian/upstream/metadata.
This module is happy to deserialize objects of any existing Perl class. For Lintian, the File::Temp::Dir class can be abused to remove arbitrary directory trees. (There might be other exciting ways to exploit this bug, but I'm too lazy to investigate further.)

I've attached proof-of-concept exploit:

$ mkdir /tmp/moo
$ ls -d /tmp/moo
/tmp/moo
$ lintian -C upstream-metadata badyaml_1.dsc
$ ls -d /tmp/moo
/bin/ls: cannot access '/tmp/moo': No such file or directory

--
Jakub Wilk

Attachment: badyaml_1.tar.xz
Description: application/xz

Format: 3.0 (native)
Source: badyaml
Binary: badyaml
Architecture: all
Version: 1
Package-List:
 badyaml deb unknown unknown arch=all
Checksums-Sha1:
 9838fde8d6dd00bda20dc32ef430cc912e9f96d9 27928 badyaml_1.tar.xz
Checksums-Sha256:
 d06b616c490cceaffeadaeca19e19348e2cc223aa6e1feb27343932d4f75dbf6 27928 badyaml_1.tar.xz
Files:
 936d4f8f7134f8b41c4f67b05dd7b3e0 27928 badyaml_1.tar.xz

--- End Message ---
--- Begin Message ---
Source: lintian
Source-Version: 2.5.50.4

We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 861958@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niels Thykier <niels@thykier.net> (supplier of updated lintian package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 03 Jun 2017 16:48:24 +0000
Source: lintian
Binary: lintian
Architecture: source
Version: 2.5.50.4
Distribution: unstable
Urgency: medium
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Niels Thykier <niels@thykier.net>
Description:
 lintian    - Debian package checker
Closes: 861958 863020
Changes:
 lintian (2.5.50.4) unstable; urgency=medium
 .
   * checks/upstream-metadata.pm:
     + [JW, NT] Disable YAML parsing of upstream metadata file as the YAML
       parser executes code.  (Closes: #861958, CVE-2017-8829)
 .
   * t/*:
     + [NT] Update tests to fix FTBFS caused by dpkg-source now ignoring
       debian/files by default.  This includes renaming a folder in the
       the t/tests/legacy-filenames test.  (Closes: #863020)
Checksums-Sha1:
 7c95f75eae2606edcc148900fa6d2bb4d81ac855 2821 lintian_2.5.50.4.dsc
 99dc935a10bff7ecd1207653486622e4b5e41b81 1233912 lintian_2.5.50.4.tar.xz
 b2d03fa69a97248c122b53ebfd5d05eae887df13 17485 lintian_2.5.50.4_source.buildinfo
Checksums-Sha256:
 cafb8a57727b33955f60d92818afba807fe83bd5244f7db10acdf3135182136f 2821 lintian_2.5.50.4.dsc
 03c10567e3227088323575a4fcb8c271029edc3352d5fa61474f1716b69da1bb 1233912 lintian_2.5.50.4.tar.xz
 c073b8ce11923eb59c570fcf82675235f06f89704eceb0b1d7034298e809ac41 17485 lintian_2.5.50.4_source.buildinfo
Files:
 3d151786f8d7f24b441ee167dd3b9ecf 2821 devel optional lintian_2.5.50.4.dsc
 76932cf1bb079f6461af002e6e27f234 1233912 devel optional lintian_2.5.50.4.tar.xz
 f57f24dcbe539a010ff3a127e69bec24 17485 devel optional lintian_2.5.50.4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsxMaRR2/33ygW0GXBUu7n32AZEIFAlky6YcACgkQBUu7n32A
ZEJ2iQ//aNy18Zf9RAcoT7g8VFkzwcCu83JPxwPtnii7FaE2Z80U2kEyINGDjd8s
3Fp4KLga3Zeq98TZ69BSXSSlCx2N2g3g5PndrQq4rgX4k8mih4G8SSIz7Ng5cRRi
qFwfRdaYZWIS1lluLYHzgsnczjbS/o7c8J38xyI0Z4K/BaLx2CTA/KvQxXFjFBvu
5R0C6+xfxyBaZsGgtBe8EM8QGvIJpp1QbL5ePHBf20l697cccHHXlDvM1ySlY/mn
VNL607TzzWTZMyPgnox2mx1Tv278QQUS9QVSdmz7Y4ZZn+BcRpDLjblQONCqiZAA
A1BgaI0uD7sua+u9iW1DLvclDZSyfaoDoI9pyPLcw3DrfZMjgn+2LxPNSfNrtKjz
9mBf+iUfTem8oEJ0jnoOEC1r8Eezd5IN1bkd5EwPdwqQXhEOR3/u2l79rMSAAAub
0wGInutMYkNj4sZuQs9ovGbkh9Bb9KjYvp9y3asfP2mOA7Pk6xLOOwBY4AJ9SZF2
GWrC0tV9w+EXSaWZvYa2K7L5cQFvRxWXlEECTxDUb5WdYbqsmE82vVaIHxHkWAvR
NQRE4Q/g1WDC/MoOT+o+p9n+8bSYxAo5Xt58P2/VViaMO7usqioxowMwjOYBPsdB
Oi7WSNha1OITAg0Uw4hE+G6DplV02GqlzN9o5158JTNCJf28EwM=
=HdsF
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: