Bug 25900

Summary: perl-YAML new security issue fixed upstream in 1.28
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, mageia, shlomif, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: perl-YAML-1.270.0-1.mga7.src.rpm CVE:
Status comment:
Attachments: config file
testyaml perl command

Comment 1 Lewis Smith 2019-12-19 20:23:04 CET 
No predominant active committer, so assigning this globally. CC'ing Shlomi as the registered maintainer.

CC: (none) => shlomif
Assignee: bugsquad => pkg-bugs

David Walser 2020-01-14 17:41:44 CET

Status comment: (none) => Fixed upstream in 1.28

Comment 2 Nicolas Lécureuil 2020-05-24 15:54:31 CEST 
looking to the changelog, i updated to 1.30

1.30 Mon 27 Jan 2020 11:09:46 PM CET
 - Breaking Change: Set $YAML::LoadBlessed default to false to make it more
   secure
 
1.29 Sat 11 May 2019 10:26:54 AM CEST
 - Fix regex for alias to match the one for anchors (PR#214 TINITA)
 
1.28 Sun 28 Apr 2019 11:46:21 AM CEST
 - Security fix: only enable loading globs when $LoadCode is set (PR#213
   TINITA)


src.rpm: perl-YAML-1.300.0-1.mga7

CC: (none) => mageia
Assignee: pkg-bugs => qa-bugs

Comment 3 David Walser 2020-05-24 16:11:43 CEST 
Advisory:
========================

Updated perl-YAML package fixes security vulnerability:

This update enforces that $LoadCode must be enabled to use the feature of
evaluating typeglobs, because with the typeglob feature you would be able to
set the variable $YAML::LoadCode from a YAML file, and that would be a security
issue.

The perl-YAML package has been updated to version 1.30, fixing this issue and
other bugs.

References:
https://metacpan.org/changes/distribution/YAML
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MKJQXJGMWYVDZSQFDB4EJ2WNJ6RU65J4/

Status comment: Fixed upstream in 1.28 => (none)

Comment 4 Herman Viaene 2020-07-03 12:18:08 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 14689 for testing.
Made the config file (putting version 7) and the test command (will attah the files.
To run I needed to install the perl-YAML-LibYAML package, and then get:
$ perl testyaml.pl
$VAR1 = {
          'Version' => 7,
          'Desktop' => [
                         'KDE',
                         'GNOME'
                       ],
          'Distribution' => 'Mageia',
          'Format' => {
                        'classical' => [
                                         '32 bits',
                                         '64 bits'
                                       ],
                        'live' => [
                                    'CD',
                                    'DVD'
                                  ]
                      }
        };

which as far as I can judge is OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 5 Herman Viaene 2020-07-03 12:18:34 CEST 
Created attachment 11731 [details]
config file
Comment 6 Herman Viaene 2020-07-03 12:19:26 CEST 
Created attachment 11732 [details]
testyaml perl command
Comment 7 Thomas Andrews 2020-07-04 03:48:14 CEST 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-07-05 10:06:42 CEST

Keywords: (none) => advisory

Comment 8 Mageia Robot 2020-07-05 10:47:50 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0275.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED