Bug#880368: YAML::XS::Load expects utf8 octets, not perl's encoding; use slurp_raw
Dominique Dumont
dod at debian.org
Sun Dec 15 18:30:42 GMT 2019
On Fri, 13 Dec 2019 14:23:46 +0100 Andrej Shadura
<andrew.shadura at collabora.co.uk> wrote:
> As a temporary workaround, I patched the locally used version to use
> YAML::XS, but as I see you won?t accept this patch upstream. Is there a
> solution that would satisfy both conditions of how having security
> issues and supporting proper YAML?
YAML::XS security issues has been fixed upstream. Now
Config::Model::Backend::Yaml uses YAML:XS
That said, YAML input and output is used in several places in libconfig-model-
dpkg-perl. I fail to see your use case which involves debian/copyright in YAML
format.
Could you provide more details on your use case ?
> By the way, what are those security
> issues and how serious and relevant to scan-copyrights are they?
YAML specification allows serialisation of Perl object, which means its
destructor is invoked when this object is destroyed. Since the yaml data that
may contain a Perl object may comes from untrusted package source, this was a
security issue (albeit quite far fetched).
Anyway, YAML::XS now has a switch to disable object creation when loading
YAML. See https://github.com/ingydotnet/yaml-libyaml-pm/issues/45 for more
details.
More information about the pkg-perl-maintainers
mailing list