Bug#1107116: bookworm-pu: package libyaml-libyaml-perl/0.86+ds-1+deb12u1

Sun Jun 1 20:18:49 BST 2025

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libyaml-libyaml-perl at packages.debian.org, carnil at debian.org, Debian Perl Group <pkg-perl-maintainers at lists.alioth.debian.org>
Control: affects -1 + src:libyaml-libyaml-perl
User: release.debian.org at packages.debian.org
Usertags: pu

Hi Stable release managers,

[ Reason ]
libyaml-libyaml-perl is vulnerable to CVE-2025-40908, where LoadFile
uses a 2-args open, which allows to truncate existing files. Do not
think this warrants a DSA, so switching hat to Perl team, proposing a
bookworm-pu update.

[ Impact ]
Remains otherwise vulnerable to CVE-2025-40908. 

[ Tests ]
Manual test, as the upstream version does not (yet) contain a testcase
in the testsuite.

[ Risks ]
Switches to the unsafe 2-args open call to the 3-args open call,
should be fairly riskless and exposed as fix in unstable and testing
since a while now.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
As per above, switch from 2-args open to the 3-args open.

[ Other info ]
None.

Regards,
Salvatore
-------------- next part --------------
diff -Nru libyaml-libyaml-perl-0.86+ds/debian/changelog libyaml-libyaml-perl-0.86+ds/debian/changelog

--- libyaml-libyaml-perl-0.86+ds/debian/changelog	2023-01-30 20:54:32.000000000 +0100
+++ libyaml-libyaml-perl-0.86+ds/debian/changelog	2025-06-01 21:07:59.000000000 +0200
@@ -1,3 +1,10 @@
+libyaml-libyaml-perl (0.86+ds-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * Use 3-arg form of open in LoadFile (CVE-2025-40908)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Sun, 01 Jun 2025 21:07:59 +0200
+
 libyaml-libyaml-perl (0.86+ds-1) unstable; urgency=medium
 
   * Import upstream versions 0.85+ds, 0.86+ds.
diff -Nru libyaml-libyaml-perl-0.86+ds/debian/patches/Use-3-arg-form-of-open-in-LoadFile.patch libyaml-libyaml-perl-0.86+ds/debian/patches/Use-3-arg-form-of-open-in-LoadFile.patch
--- libyaml-libyaml-perl-0.86+ds/debian/patches/Use-3-arg-form-of-open-in-LoadFile.patch	1970-01-01 01:00:00.000000000 +0100
+++ libyaml-libyaml-perl-0.86+ds/debian/patches/Use-3-arg-form-of-open-in-LoadFile.patch	2025-06-01 21:07:59.000000000 +0200
@@ -0,0 +1,31 @@
+From: =?UTF-8?q?Tina=20M=C3=BCller?= <cpan2 at tinita.de>
+Date: Wed, 29 Jan 2025 21:17:28 +0100
+Subject: Use 3-arg form of open in LoadFile
+Origin: https://github.com/ingydotnet/yaml-libyaml-pm/commit/5fe9daed726c06900c3cd41a739460057bec6dc3
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-40908
+
+Fixes https://github.com/ingydotnet/yaml-libyaml-pm/issues/120
+
+Otherwise `$filename = ">file.yaml"; LoadFile($filename)` will truncate a file.
+
+One should check untrusted filenames in any case, though.
+---
+ lib/YAML/XS.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/YAML/XS.pm b/lib/YAML/XS.pm
+index 66ff5bac7d15..e8df694dd51e 100644
+--- a/lib/YAML/XS.pm
++++ b/lib/YAML/XS.pm
+@@ -54,7 +54,7 @@ sub LoadFile {
+         $IN = $filename;
+     }
+     else {
+-        open $IN, $filename
++        open $IN, '<', $filename
+           or die "Can't open '$filename' for input:\n$!";
+     }
+     return YAML::XS::LibYAML::Load(do { local $/; local $_ = <$IN> });
+-- 
+2.49.0
+
diff -Nru libyaml-libyaml-perl-0.86+ds/debian/patches/series libyaml-libyaml-perl-0.86+ds/debian/patches/series
--- libyaml-libyaml-perl-0.86+ds/debian/patches/series	2023-01-30 20:54:32.000000000 +0100
+++ libyaml-libyaml-perl-0.86+ds/debian/patches/series	2025-06-01 21:07:59.000000000 +0200
@@ -1 +1,2 @@
 system-libyaml.patch
+Use-3-arg-form-of-open-in-LoadFile.patch
