Your message dated Sat, 03 Jun 2017 17:04:11 +0000 with message-id <E1dHCTD-000Ddj-6z@fasolo.debian.org> and subject line Bug#861958: fixed in lintian 2.5.50.4 has caused the Debian Bug report #861958, regarding lintian: insecure YAML validation [CVE-2017-8829] to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 861958: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861958 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: lintian: insecure YAML validation
- From: Jakub Wilk <jwilk@jwilk.net>
- Date: Sat, 6 May 2017 13:01:50 +0200
- Message-id: <20170506110150.42nyn4eke7k53iwv@jwilk.net>
Package: lintian Version: 2.5.41 Tags: security Lintian uses the YAML::XS module to validate YAML in debian/upstream/metadata.This module is happy to deserialize objects of any existing Perl class. For Lintian, the File::Temp::Dir class can be abused to remove arbitrary directory trees. (There might be other exciting ways to exploit this bug, but I'm too lazy to investigate further.)I've attached proof-of-concept exploit: $ mkdir /tmp/moo $ ls -d /tmp/moo /tmp/moo $ lintian -C upstream-metadata badyaml_1.dsc $ ls -d /tmp/moo /bin/ls: cannot access '/tmp/moo': No such file or directory -- Jakub WilkAttachment: badyaml_1.tar.xz
Description: application/xzFormat: 3.0 (native) Source: badyaml Binary: badyaml Architecture: all Version: 1 Package-List: badyaml deb unknown unknown arch=all Checksums-Sha1: 9838fde8d6dd00bda20dc32ef430cc912e9f96d9 27928 badyaml_1.tar.xz Checksums-Sha256: d06b616c490cceaffeadaeca19e19348e2cc223aa6e1feb27343932d4f75dbf6 27928 badyaml_1.tar.xz Files: 936d4f8f7134f8b41c4f67b05dd7b3e0 27928 badyaml_1.tar.xz
--- End Message ---
--- Begin Message ---
- To: 861958-close@bugs.debian.org
- Subject: Bug#861958: fixed in lintian 2.5.50.4
- From: Niels Thykier <niels@thykier.net>
- Date: Sat, 03 Jun 2017 17:04:11 +0000
- Message-id: <E1dHCTD-000Ddj-6z@fasolo.debian.org>
Source: lintian Source-Version: 2.5.50.4 We believe that the bug you reported is fixed in the latest version of lintian, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 861958@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Niels Thykier <niels@thykier.net> (supplier of updated lintian package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 03 Jun 2017 16:48:24 +0000 Source: lintian Binary: lintian Architecture: source Version: 2.5.50.4 Distribution: unstable Urgency: medium Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org> Changed-By: Niels Thykier <niels@thykier.net> Description: lintian - Debian package checker Closes: 861958 863020 Changes: lintian (2.5.50.4) unstable; urgency=medium . * checks/upstream-metadata.pm: + [JW, NT] Disable YAML parsing of upstream metadata file as the YAML parser executes code. (Closes: #861958, CVE-2017-8829) . * t/*: + [NT] Update tests to fix FTBFS caused by dpkg-source now ignoring debian/files by default. This includes renaming a folder in the the t/tests/legacy-filenames test. (Closes: #863020) Checksums-Sha1: 7c95f75eae2606edcc148900fa6d2bb4d81ac855 2821 lintian_2.5.50.4.dsc 99dc935a10bff7ecd1207653486622e4b5e41b81 1233912 lintian_2.5.50.4.tar.xz b2d03fa69a97248c122b53ebfd5d05eae887df13 17485 lintian_2.5.50.4_source.buildinfo Checksums-Sha256: cafb8a57727b33955f60d92818afba807fe83bd5244f7db10acdf3135182136f 2821 lintian_2.5.50.4.dsc 03c10567e3227088323575a4fcb8c271029edc3352d5fa61474f1716b69da1bb 1233912 lintian_2.5.50.4.tar.xz c073b8ce11923eb59c570fcf82675235f06f89704eceb0b1d7034298e809ac41 17485 lintian_2.5.50.4_source.buildinfo Files: 3d151786f8d7f24b441ee167dd3b9ecf 2821 devel optional lintian_2.5.50.4.dsc 76932cf1bb079f6461af002e6e27f234 1233912 devel optional lintian_2.5.50.4.tar.xz f57f24dcbe539a010ff3a127e69bec24 17485 devel optional lintian_2.5.50.4_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsxMaRR2/33ygW0GXBUu7n32AZEIFAlky6YcACgkQBUu7n32A ZEJ2iQ//aNy18Zf9RAcoT7g8VFkzwcCu83JPxwPtnii7FaE2Z80U2kEyINGDjd8s 3Fp4KLga3Zeq98TZ69BSXSSlCx2N2g3g5PndrQq4rgX4k8mih4G8SSIz7Ng5cRRi qFwfRdaYZWIS1lluLYHzgsnczjbS/o7c8J38xyI0Z4K/BaLx2CTA/KvQxXFjFBvu 5R0C6+xfxyBaZsGgtBe8EM8QGvIJpp1QbL5ePHBf20l697cccHHXlDvM1ySlY/mn VNL607TzzWTZMyPgnox2mx1Tv278QQUS9QVSdmz7Y4ZZn+BcRpDLjblQONCqiZAA A1BgaI0uD7sua+u9iW1DLvclDZSyfaoDoI9pyPLcw3DrfZMjgn+2LxPNSfNrtKjz 9mBf+iUfTem8oEJ0jnoOEC1r8Eezd5IN1bkd5EwPdwqQXhEOR3/u2l79rMSAAAub 0wGInutMYkNj4sZuQs9ovGbkh9Bb9KjYvp9y3asfP2mOA7Pk6xLOOwBY4AJ9SZF2 GWrC0tV9w+EXSaWZvYa2K7L5cQFvRxWXlEECTxDUb5WdYbqsmE82vVaIHxHkWAvR NQRE4Q/g1WDC/MoOT+o+p9n+8bSYxAo5Xt58P2/VViaMO7usqioxowMwjOYBPsdB Oi7WSNha1OITAg0Uw4hE+G6DplV02GqlzN9o5158JTNCJf28EwM= =HdsF -----END PGP SIGNATURE-----
--- End Message ---