Those who missed it: lintian is affected by insecure YAML validation - https://bugs.debian.org/861958 Summary: YAML, at least in the YAML::XS implementation, allows one to store a class name as well (I didn't know that), and upon read an object is re-instantiated (I didn't know that either), and this behaviour *cannot* be turned off by some switch. The latter is the worst part as it allows several attacks when loading YAML from an untrusted sourcce, the bug above provides an example. To make things even more complicated, someone considered forking the upstream module but AFAICS no result so far: https://github.com/perl11/cperl/issues/198 In my opinion the situation requires action to avoid usage of that module opens an attack vector on our users' systems. Recommending other YAML implementations is probably not a solution since, besides performance issues, they do not show the same behaviour, for example wrt utf-8 encoding [citation needed]. So this leaves us with fixing the module libyaml-libyaml-perl, also in older releases, and reviewing all code in Debian that uses this package. There are about 38 packages to sift through, and at a quick glance duck (Debian URL checker) is one of those that are affected. However I cannot see a solution that creates havoc on some places as well. So, options: * Disable the re-instatiation entirely Pro: Rather easy to do Con: Breaks applications that actually rely on that feature (are there any?) * Make the re-instatiation configurable, default ON Cons: - Technically, introducing such a switch means a fork, which is a bad thing. - We'd have to identify all applications that use YAML::XS on untrusted data and patch them to disable that feature. * Make the re-instatiation configurable, default OFF Pro: Playing safe Con: - As above, it's a fork - This makes applications behave different when running on different distributions. - We'd have to identify all applications that actually need that feature and patch them. As above, their number might be zero but certainly is lower than with "default ON" above. More ideas? Christoph
Attachment:
signature.asc
Description: Digital signature