The YAML::XS situation

To: debian-perl@lists.debian.org
Subject: The YAML::XS situation
From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date: Sun, 7 May 2017 21:57:54 +0200
Message-id: <[🔎] 1494186870@msgid.manchmal.in-ulm.de>

Those who missed it: lintian is affected by

 insecure YAML validation - https://bugs.debian.org/861958

Summary: YAML, at least in the YAML::XS implementation, allows one to
store a class name as well (I didn't know that), and upon read an
object is re-instantiated (I didn't know that either), and this
behaviour *cannot* be turned off by some switch. The latter is the
worst part as it allows several attacks when loading YAML from an
untrusted sourcce, the bug above provides an example.

To make things even more complicated, someone considered forking the
upstream module but AFAICS no result so far:

  https://github.com/perl11/cperl/issues/198

In my opinion the situation requires action to avoid usage of that
module opens an attack vector on our users' systems. Recommending
other YAML implementations is probably not a solution since, besides
performance issues, they do not show the same behaviour, for example
wrt utf-8 encoding [citation needed].

So this leaves us with fixing the module libyaml-libyaml-perl, also in
older releases, and reviewing all code in Debian that uses this
package. There are about 38 packages to sift through, and at a quick
glance duck (Debian URL checker) is one of those that are affected.

However I cannot see a solution that creates havoc on some places as
well.

So, options:

* Disable the re-instatiation entirely

  Pro: Rather easy to do
  Con: Breaks applications that actually rely on that feature (are
  there any?)

* Make the re-instatiation configurable, default ON

  Cons:
  - Technically, introducing such a switch means a fork, which is a
    bad thing.
  - We'd have to identify all applications that use YAML::XS on
    untrusted data and patch them to disable that feature.

* Make the re-instatiation configurable, default OFF

  Pro: Playing safe
  Con:
  - As above, it's a fork
  - This makes applications behave different when running on different
    distributions.
  - We'd have to identify all applications that actually need that
    feature and patch them. As above, their number might be zero but
    certainly is lower than with "default ON" above.

More ideas?

    Christoph

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: The YAML::XS situation
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: libdbd-mysql-perl: Regression for zerofill columns
Next by Date: Re: The YAML::XS situation
Previous by thread: Re: libdbd-mysql-perl: Regression for zerofill columns
Next by thread: Re: The YAML::XS situation
Index(es):
- Date
- Thread