Re: Fwd: Re: [scr330159] lintian - 2.5.41, not fixed yet

To: debian-security@lists.debian.org
Subject: Re: Fwd: Re: [scr330159] lintian - 2.5.41, not fixed yet
From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date: Mon, 8 May 2017 22:42:34 +0200
Message-id: <[🔎] 1494275894@msgid.manchmal.in-ulm.de>
In-reply-to: <[🔎] c000feaf-e596-880e-dd3b-bfb7e4abef5e@thykier.net>
References: <6101ddd5e5524b88850365f3e7508457@imshyb01.MITRE.ORG> <[🔎] c000feaf-e596-880e-dd3b-bfb7e4abef5e@thykier.net>

Niels Thykier wrote...

> > Deserialization vulnerability in lintian through 2.5.50.3
> > allows attackers to trigger code execution by requesting a review of
> > a source package with a crafted YAML file.

In my opinion lintian is just the victim of an issue in the YAML::XS
module (libyaml-libyaml-perl) where serialized objects are
re-instantiatiated unconditionally. To resolve that problem, I've
started a discussion on the debian-perl@ list.

    Christoph

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Fwd: Re: [scr330159] lintian - 2.5.41, not fixed yet
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: Fwd: Re: [scr330159] lintian - 2.5.41, not fixed yet
Next by Date: Re: bind9 CVE-2017-3137
Previous by thread: Fwd: Re: [scr330159] lintian - 2.5.41, not fixed yet
Next by thread: Re: bind9 CVE-2017-3137
Index(es):
- Date
- Thread