Bug 25900 - perl-YAML new security issue fixed upstream in 1.28
Summary: perl-YAML new security issue fixed upstream in 1.28
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-12-19 17:59 CET by David Walser
Modified: 2020-07-05 10:47 CEST (History)
5 users (show)

See Also:
Source RPM: perl-YAML-1.270.0-1.mga7.src.rpm
CVE:
Status comment:

Attachments
config file (149 bytes, application/x-yaml)
2020-07-03 12:18 CEST, Herman Viaene 		Details
testyaml perl command (155 bytes, application/x-perl)
2020-07-03 12:19 CEST, Herman Viaene 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Comment 1 Lewis Smith 2019-12-19 20:23:04 CET 
No predominant active committer, so assigning this globally. CC'ing Shlomi as the registered maintainer.

CC: (none) => shlomif
Assignee: bugsquad => pkg-bugs

David Walser 2020-01-14 17:41:44 CET

Status comment: (none) => Fixed upstream in 1.28

Comment 2 Nicolas Lécureuil 2020-05-24 15:54:31 CEST 
looking to the changelog, i updated to 1.30

1.30 Mon 27 Jan 2020 11:09:46 PM CET
 - Breaking Change: Set $YAML::LoadBlessed default to false to make it more
   secure
 
1.29 Sat 11 May 2019 10:26:54 AM CEST
 - Fix regex for alias to match the one for anchors (PR#214 TINITA)
 
1.28 Sun 28 Apr 2019 11:46:21 AM CEST
 - Security fix: only enable loading globs when $LoadCode is set (PR#213
   TINITA)


src.rpm: perl-YAML-1.300.0-1.mga7

CC: (none) => mageia
Assignee: pkg-bugs => qa-bugs

Comment 3 David Walser 2020-05-24 16:11:43 CEST 
Advisory:
========================

Updated perl-YAML package fixes security vulnerability:

This update enforces that $LoadCode must be enabled to use the feature of
evaluating typeglobs, because with the typeglob feature you would be able to
set the variable $YAML::LoadCode from a YAML file, and that would be a security
issue.

The perl-YAML package has been updated to version 1.30, fixing this issue and
other bugs.

References:
https://metacpan.org/changes/distribution/YAML
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MKJQXJGMWYVDZSQFDB4EJ2WNJ6RU65J4/

Status comment: Fixed upstream in 1.28 => (none)

Comment 4 Herman Viaene 2020-07-03 12:18:08 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 14689 for testing.
Made the config file (putting version 7) and the test command (will attah the files.
To run I needed to install the perl-YAML-LibYAML package, and then get:
$ perl testyaml.pl
$VAR1 = {
          'Version' => 7,
          'Desktop' => [
                         'KDE',
                         'GNOME'
                       ],
          'Distribution' => 'Mageia',
          'Format' => {
                        'classical' => [
                                         '32 bits',
                                         '64 bits'
                                       ],
                        'live' => [
                                    'CD',
                                    'DVD'
                                  ]
                      }
        };

which as far as I can judge is OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 5 Herman Viaene 2020-07-03 12:18:34 CEST 
Created attachment 11731 [details]
config file
Comment 6 Herman Viaene 2020-07-03 12:19:26 CEST 
Created attachment 11732 [details]
testyaml perl command
Comment 7 Thomas Andrews 2020-07-04 03:48:14 CEST 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-07-05 10:06:42 CEST

Keywords: (none) => advisory

Comment 8 Mageia Robot 2020-07-05 10:47:50 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0275.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.