[lintian] 01/01: Re-enable YAML parsing of upstream metadata which was disabled in 2.5.51 (via #861958) to close CVE-2017-8829 as we can now use the $LoadBlessed option of YAML:XS. (Closes: #894747)

To: debian-lint-maint@lists.debian.org
Subject: [lintian] 01/01: Re-enable YAML parsing of upstream metadata which was disabled in 2.5.51 (via #861958) to close CVE-2017-8829 as we can now use the $LoadBlessed option of YAML:XS. (Closes: #894747)
From: Chris Lamb <chris@chris-lamb.co.uk>
Date: Tue, 03 Apr 2018 21:32:47 +0000
Message-id: <[🔎] E1f3TXr-0007WD-8x@moszumanska.debian.org>
Reply-to: Chris Lamb <lamby@debian.org>
In-reply-to: <[🔎] 20180403213246.28815.99724@moszumanska.debian.org>
References: <[🔎] 20180403213246.28815.99724@moszumanska.debian.org>

This is an automated email from the git hooks/post-receive script.

lamby pushed a commit to branch master
in repository lintian.

commit fd55f0d4df464b05446573768ac7826530d3c308
Author: Chris Lamb <lamby@debian.org>
Date:   Tue Apr 3 22:31:47 2018 +0100

    Re-enable YAML parsing of upstream metadata which was disabled in 2.5.51 (via #861958) to close CVE-2017-8829 as we can now use the $LoadBlessed option of YAML:XS. (Closes: #894747)
---
 checks/upstream-metadata.pm                | 3 ++-
 debian/changelog                           | 5 +++++
 t/tests/upstream-metadata-invalid-yml/skip | 1 -
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/checks/upstream-metadata.pm b/checks/upstream-metadata.pm
index c9d347b..4e2da86 100644
--- a/checks/upstream-metadata.pm
+++ b/checks/upstream-metadata.pm
@@ -27,6 +27,8 @@ use Lintian::Tags qw(tag);
 
 use YAML::XS;
 
+$YAML::XS::LoadBlessed = 0;
+
 sub run {
     my (undef, undef, $info) = @_;
     my $yamlfile = $info->index_resolved_path('debian/upstream/metadata');
@@ -38,7 +40,6 @@ sub run {
 
     if ($yamlfile->is_open_ok) {
         my $yaml;
-        return if 1; # YAML::XS executes code
         eval { $yaml = YAML::XS::LoadFile($yamlfile->fs_path); };
         if (!$yaml) {
             my $msg;
diff --git a/debian/changelog b/debian/changelog
index 302dc51..c3017c1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -27,6 +27,11 @@ lintian (2.5.81) UNRELEASED; urgency=medium
     + [CL] Apply patch from Thomas Dallmair to avoid false positives in the
       udev-rule-missing-subsystem tag when SUBSYSTEM GOTO is not the last
       "GOTO" statement.  Thanks!  (Closes: #894356)
+  * checks/upstream-metadata.pm:
+    + Re-enable YAML parsing of upstream metadata which was disabled in
+      2.5.51 (via #861958) to close CVE-2017-8829 as we can now use the
+      $LoadBlessed option of YAML:XS. Thanks to Dylan Aïssi for the report.
+      (Closes: #894747)
 
   * lib/Lintian/Check.pm:
     + [CL] Avoid false positives in spelling detection by allowing "(s)"
diff --git a/t/tests/upstream-metadata-invalid-yml/skip b/t/tests/upstream-metadata-invalid-yml/skip
deleted file mode 100644
index d623a2b..0000000
--- a/t/tests/upstream-metadata-invalid-yml/skip
+++ /dev/null
@@ -1 +0,0 @@
-YAML::XS executes code by default and code has not been converted
\ No newline at end of file

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git

Reply to:

References:
- [lintian] branch master updated (b3fd60a -> fd55f0d)
  - From: Chris Lamb <chris@chris-lamb.co.uk>

Prev by Date: [lintian] branch master updated (b3fd60a -> fd55f0d)
Next by Date: Bug#894747: lintian: Re-enable YAML parsing for d/upstream/metadata files
Previous by thread: [lintian] branch master updated (b3fd60a -> fd55f0d)
Next by thread: [lintian] branch master updated (fd55f0d -> 4db80ed)
Index(es):
- Date
- Thread