[lintian] 01/01: Re-enable YAML parsing of upstream metadata which was disabled in 2.5.51 (via #861958) to close CVE-2017-8829 as we can now use the $LoadBlessed option of YAML:XS. (Closes: #894747)
This is an automated email from the git hooks/post-receive script.
lamby pushed a commit to branch master
in repository lintian.
commit fd55f0d4df464b05446573768ac7826530d3c308
Author: Chris Lamb <lamby@debian.org>
Date: Tue Apr 3 22:31:47 2018 +0100
Re-enable YAML parsing of upstream metadata which was disabled in 2.5.51 (via #861958) to close CVE-2017-8829 as we can now use the $LoadBlessed option of YAML:XS. (Closes: #894747)
---
checks/upstream-metadata.pm | 3 ++-
debian/changelog | 5 +++++
t/tests/upstream-metadata-invalid-yml/skip | 1 -
3 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/checks/upstream-metadata.pm b/checks/upstream-metadata.pm
index c9d347b..4e2da86 100644
--- a/checks/upstream-metadata.pm
+++ b/checks/upstream-metadata.pm
@@ -27,6 +27,8 @@ use Lintian::Tags qw(tag);
use YAML::XS;
+$YAML::XS::LoadBlessed = 0;
+
sub run {
my (undef, undef, $info) = @_;
my $yamlfile = $info->index_resolved_path('debian/upstream/metadata');
@@ -38,7 +40,6 @@ sub run {
if ($yamlfile->is_open_ok) {
my $yaml;
- return if 1; # YAML::XS executes code
eval { $yaml = YAML::XS::LoadFile($yamlfile->fs_path); };
if (!$yaml) {
my $msg;
diff --git a/debian/changelog b/debian/changelog
index 302dc51..c3017c1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -27,6 +27,11 @@ lintian (2.5.81) UNRELEASED; urgency=medium
+ [CL] Apply patch from Thomas Dallmair to avoid false positives in the
udev-rule-missing-subsystem tag when SUBSYSTEM GOTO is not the last
"GOTO" statement. Thanks! (Closes: #894356)
+ * checks/upstream-metadata.pm:
+ + Re-enable YAML parsing of upstream metadata which was disabled in
+ 2.5.51 (via #861958) to close CVE-2017-8829 as we can now use the
+ $LoadBlessed option of YAML:XS. Thanks to Dylan Aïssi for the report.
+ (Closes: #894747)
* lib/Lintian/Check.pm:
+ [CL] Avoid false positives in spelling detection by allowing "(s)"
diff --git a/t/tests/upstream-metadata-invalid-yml/skip b/t/tests/upstream-metadata-invalid-yml/skip
deleted file mode 100644
index d623a2b..0000000
--- a/t/tests/upstream-metadata-invalid-yml/skip
+++ /dev/null
@@ -1 +0,0 @@
-YAML::XS executes code by default and code has not been converted
\ No newline at end of file
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git
Reply to: