Bug#661548: libyaml-libyaml-perl: FTBFS with hardening flags enabled: -Werror=format-security

[Niko Tyni]

severity 661548 grave
tag 661548 security
found 661548 0.33-1
thanks

On Mon, Feb 27, 2012 at 09:44:42PM +0000, Dominic Hargreaves wrote:
> Source: libyaml-libyaml-perl
> Severity: normal
> Version: 0.38-1
> User: debian-qa at lists.debian.org
> Usertags: hardening-format-security hardening
> 
> With hardening flags enabled, this package FTBFS:
> 
> perl_libyaml.c: In function 'Load':
> perl_libyaml.c:191:5: error: format not a string literal and no format arguments [-Werror=format-security]
> perl_libyaml.c: In function 'load_node':
> perl_libyaml.c:274:9: error: format not a string literal and no format arguments [-Werror=format-security]
> perl_libyaml.c: In function 'load_mapping':
> perl_libyaml.c:318:9: error: format not a string literal and no format arguments [-Werror=format-security]
> perl_libyaml.c: In function 'load_sequence':
> perl_libyaml.c:351:9: error: format not a string literal and no format arguments [-Werror=format-security]

These format strings can be injected from user input,
so raising the severity. A DSA will be issued for squeeze.

I've just notified upstream via the RT tickets below. Could somebody from
the pkg-perl team please prepare updated packages (built with -sa for
stable-security as this is new there)?  Trivial patches can be found in

 https://rt.cpan.org/Public/Bug/Display.html?id=75365
 https://rt.cpan.org/Public/Bug/Display.html?id=46507

-- 
Niko Tyni   ntyni at debian.org