Bug 34448 - perl-YAML-LibYAML new securiry issue CVE-2025-40908
Summary: perl-YAML-LibYAML new securiry issue CVE-2025-40908
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 31852
  Show dependency treegraph
 
Reported: 2025-07-08 17:34 CEST by Nicolas Salguero
Modified: 2025-11-12 22:32 CET (History)
2 users (show)

See Also:
Source RPM: perl-YAML-LibYAML-0.860.0-1.mga9.src.rpm
CVE: CVE-2025-40908
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-07-08 17:34:13 CEST 
openSUSE has issued an advisory on July 5:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/HKC72252CNE2PZENAI7UN24YB5X2Z5EK/
Comment 1 Nicolas Salguero 2025-07-08 17:34:37 CEST 
Fixed by: https://github.com/ingydotnet/yaml-libyaml-pm/commit/5fe9daed726c06900c3cd41a739460057bec6dc3 (v0.903.0)

CVE: (none) => CVE-2025-40908
Source RPM: (none) => perl-YAML-LibYAML-0.860.0-1.mga9.src.rpm

Comment 2 Lewis Smith 2025-07-21 20:37:21 CEST 
The simple patch is a long way down the page.

Status comment: (none) => patch given
Assignee: bugsquad => perl

Comment 3 Nicolas Salguero 2025-11-10 14:24:08 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

YAML-LibYAML prior to 0.903.0 for Perl uses 2-args open, allowing existing files to be modified. (CVE-2025-40908)

References:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/HKC72252CNE2PZENAI7UN24YB5X2Z5EK/
========================

Updated package in core/updates_testing:
========================
perl-YAML-LibYAML-0.860.0-1.1.mga9

from SRPM:
perl-YAML-LibYAML-0.860.0-1.1.mga9.src.rpm

Assignee: perl => qa-bugs
Status: NEW => ASSIGNED
Status comment: patch given => (none)

katnatek 2025-11-11 22:53:54 CET

Keywords: (none) => advisory

katnatek 2025-11-12 02:44:49 CET

Blocks: (none) => 31852

Comment 4 katnatek 2025-11-12 03:13:01 CET 
Tested with some other perl in testing

LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/perl*

installing perl-5.36.0-1.2.mga9.x86_64.rpm perl-base-5.36.0-1.2.mga9.x86_64.rpm perl-doc-5.36.0-1.2.mga9.noarch.rpm from /home/katnatek/qa-testing/x86_64
Preparing...                     ####################################################################################################
      1/3: perl-base             ####################################################################################################
      2/3: perl                  ####################################################################################################
      3/3: perl-doc              ####################################################################################################
      1/3: removing perl-doc-2:5.36.0-1.1.mga9.noarch
                                 ####################################################################################################
      2/3: removing perl-2:5.36.0-1.1.mga9.x86_64
                                 ####################################################################################################
      3/3: removing perl-base-2:5.36.0-1.1.mga9.x86_64
                                 ####################################################################################################
restarting urpmi
Packages perl-5.36.0-1.2.mga9.x86_64, perl-doc-5.36.0-1.2.mga9.noarch, perl-base-5.36.0-1.2.mga9.x86_64 are already installed
Marking perl as manually installed, it won't be auto-orphaned
Marking perl-doc as manually installed, it won't be auto-orphaned
Marking perl-base as manually installed, it won't be auto-orphaned
writing /var/lib/rpm/installed-through-deps.list
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  perl-Archive-Zip               1.680.0      2.mga9        noarch  
  perl-CPAN-Checksums            2.140.0      2.mga9        noarch  
  perl-CPAN-Perl-Releases        5.202.302.2> 1.mga9        noarch  
  perl-Compress-Bzip2            2.280.0      4.mga9        x86_64  
  perl-Data-Compare              1.270.0      3.mga9        noarch  
  perl-Expect                    1.350.0      6.mga9        noarch  
  perl-File-Find-Rule            0.340.0      5.mga9        noarch  
  perl-File-HomeDir              1.6.0        2.mga9        noarch  
  perl-File-Which                1.270.0      2.mga9        noarch  
  perl-IO-Tty                    1.170.0      1.mga9        x86_64  
  perl-Log-Dispatch              2.700.0      2.mga9        noarch  
  perl-Log-Log4perl              1.570.0      1.mga9        noarch  
  perl-Mail-Sender               0.903.0      4.mga9        noarch  
  perl-Mail-Sendmail             0.800.0      5.mga9        noarch  
  perl-Module-Signature          0.880.0      2.mga9        noarch  
  perl-Number-Compare            0.30.0       10.mga9       noarch  
  perl-Text-Glob                 0.110.0      4.mga9        noarch  
  perl-XML-DOM                   1.460.0      4.mga9        noarch  
  perl-XML-RegExp                0.40.0       10.mga9       noarch  
  perl-YAML-Syck                 1.340.0      4.mga9        x86_64  
  perl-libxml-perl               0.80.0       11.mga9       noarch  
  systemtap-sdt-devel            4.8          2.mga9        x86_64  
(command line)
  perl-CPAN                      2.340.0      1.1.mga9      noarch  
  perl-HTTP-Tiny                 0.82.0       1.1.mga9      noarch  
  perl-YAML-LibYAML              0.860.0      1.1.mga9      x86_64  
  perl-devel                     5.36.0       1.2.mga9      x86_64  
7.2MB of additional disk space will be used.
2.2MB of packages will be retrieved.
Proceed with the installation of the 26 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/systemtap-sdt-devel-4.8-2.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Mail-Sender-0.903.0-4.mga9.noarch.rpm       
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-CPAN-Checksums-2.140.0-2.mga9.noarch.rpm    
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-XML-RegExp-0.40.0-10.mga9.noarch.rpm        
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Expect-1.350.0-6.mga9.noarch.rpm            
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Number-Compare-0.30.0-10.mga9.noarch.rpm    
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-CPAN-Perl-Releases-5.202.302.200-1.mga9.noarch.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Module-Signature-0.880.0-2.mga9.noarch.rpm  
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Mail-Sendmail-0.800.0-5.mga9.noarch.rpm     
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Text-Glob-0.110.0-4.mga9.noarch.rpm         
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Archive-Zip-1.680.0-2.mga9.noarch.rpm       
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Data-Compare-1.270.0-3.mga9.noarch.rpm      
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-XML-DOM-1.460.0-4.mga9.noarch.rpm           
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-File-Find-Rule-0.340.0-5.mga9.noarch.rpm    
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Compress-Bzip2-2.280.0-4.mga9.x86_64.rpm    
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-libxml-perl-0.80.0-11.mga9.noarch.rpm       
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Log-Log4perl-1.570.0-1.mga9.noarch.rpm      
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Log-Dispatch-2.700.0-2.mga9.noarch.rpm      
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-IO-Tty-1.170.0-1.mga9.x86_64.rpm            
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-File-Which-1.270.0-2.mga9.noarch.rpm        
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-File-HomeDir-1.6.0-2.mga9.noarch.rpm        
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-YAML-Syck-1.340.0-4.mga9.x86_64.rpm         
installing /home/katnatek/qa-testing/x86_64/perl-devel-5.36.0-1.2.mga9.x86_64.rpm                                                     
/var/cache/urpmi/rpms/perl-CPAN-Perl-Releases-5.202.302.200-1.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-XML-RegExp-0.40.0-10.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Expect-1.350.0-6.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-CPAN-Checksums-2.140.0-2.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-YAML-Syck-1.340.0-4.mga9.x86_64.rpm
/var/cache/urpmi/rpms/perl-libxml-perl-0.80.0-11.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Log-Dispatch-2.700.0-2.mga9.noarch.rpm
/home/katnatek/qa-testing/x86_64/perl-YAML-LibYAML-0.860.0-1.1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/perl-Mail-Sendmail-0.800.0-5.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Archive-Zip-1.680.0-2.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Number-Compare-0.30.0-10.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Module-Signature-0.880.0-2.mga9.noarch.rpm
/home/katnatek/qa-testing/x86_64/perl-HTTP-Tiny-0.82.0-1.1.mga9.noarch.rpm
/var/cache/urpmi/rpms/systemtap-sdt-devel-4.8-2.mga9.x86_64.rpm
/var/cache/urpmi/rpms/perl-Mail-Sender-0.903.0-4.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-IO-Tty-1.170.0-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/perl-File-Which-1.270.0-2.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-File-HomeDir-1.6.0-2.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Compress-Bzip2-2.280.0-4.mga9.x86_64.rpm
/var/cache/urpmi/rpms/perl-Log-Log4perl-1.570.0-1.mga9.noarch.rpm
/home/katnatek/qa-testing/x86_64/perl-CPAN-2.340.0-1.1.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-XML-DOM-1.460.0-4.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-File-Find-Rule-0.340.0-5.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Text-Glob-0.110.0-4.mga9.noarch.rpm
/var/cache/urpmi/rpms/perl-Data-Compare-1.270.0-3.mga9.noarch.rpm
Preparing...                     ####################################################################################################
     1/26: perl-Text-Glob        ####################################################################################################
     2/26: perl-Compress-Bzip2   ####################################################################################################
     3/26: perl-File-Which       ####################################################################################################
     4/26: perl-Module-Signature ####################################################################################################
     5/26: perl-File-HomeDir     ####################################################################################################
     6/26: perl-IO-Tty           ####################################################################################################
     7/26: perl-Expect           ####################################################################################################
     8/26: perl-Mail-Sender      ####################################################################################################
     9/26: systemtap-sdt-devel   ####################################################################################################
    10/26: perl-HTTP-Tiny        ####################################################################################################
    11/26: perl-Number-Compare   ####################################################################################################
    12/26: perl-File-Find-Rule   ####################################################################################################
    13/26: perl-Data-Compare     ####################################################################################################
    14/26: perl-CPAN-Checksums   ####################################################################################################
    15/26: perl-Archive-Zip      ####################################################################################################
    16/26: perl-Mail-Sendmail    ####################################################################################################
    17/26: perl-Log-Dispatch     ####################################################################################################
    18/26: perl-YAML-LibYAML     ####################################################################################################
    19/26: perl-libxml-perl      ####################################################################################################
    20/26: perl-YAML-Syck        ####################################################################################################
    21/26: perl-XML-RegExp       ####################################################################################################
    22/26: perl-XML-DOM          ####################################################################################################
    23/26: perl-Log-Log4perl     ####################################################################################################
    24/26: perl-CPAN-Perl-Releases
                                 ####################################################################################################
    25/26: perl-CPAN             ####################################################################################################
    26/26: perl-devel            ####################################################################################################

The restart of urpmi and the end of installation without issues are good signal
mcc works OK after the update

The methods to test this looks obsolete
Giving OK on clean install

Whiteboard: (none) => MGA9-64-OK

Comment 5 Thomas Andrews 2025-11-12 19:37:47 CET 
Yes, they were for Mageia 3 and 4 - quite a while ago.

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Mageia Robot 2025-11-12 22:32:49 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0275.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.