devscripts: CVE-2018-13043 - grep-excuses uses YAML::Syck in a unsafe way

Debian Bug report logs - #902409
devscripts: CVE-2018-13043 - grep-excuses uses YAML::Syck in a unsafe way

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ansgar Burchardt <ansgar@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: grep-excuses: uses YAML::Syck in a unsafe way

Date: Tue, 26 Jun 2018 10:04:26 +0200

[Message part 1 (text/plain, inline)]

Package: devscripts
Version: 2.18.3
Severity: grave
File: /usr/bin/grep-excuses
Tags: patch security

grep-excuses uses YAML::Syck without telling YAML::Syck to not bless
objects which might lead to running code the author of grep-excuses
might not have intended to run.

The attached patch tells grep-excuses to tell YAML::Syck to not point
a loaded gun towards your foot (even though this might be against the
UNIX philosophy of shooting on feet).

See also #862475.

Ansgar

[grep-excuses.patch (text/plain, attachment)]

Message #10 received at 902409-submitter@bugs.debian.org (full text, mbox, reply):

From: Mattia Rizzolo <mattia@debian.org>

To: 902409-submitter@bugs.debian.org

Subject: Bug #902409 in devscripts marked as pending

Date: Tue, 03 Jul 2018 08:20:32 +0000

Control: tag -1 pending

Hello,

Bug #902409 in devscripts reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/debian/devscripts/commit/73539f21ec470de727e1242bd6392615b2c5f9ef

------------------------------------------------------------------------
grep-excuse: Avoid unintended blessing during YAML loading.

CVE-2018-13043

Closes: #902409
Thanks: Ansgar Burchardt <ansgar@debian.org> for reporting and providing a patch.
Signed-off-by: Mattia Rizzolo <mattia@debian.org>

------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/902409

Message #17 received at 902409-close@bugs.debian.org (full text, mbox, reply):

From: Mattia Rizzolo <mattia@debian.org>

To: 902409-close@bugs.debian.org

Subject: Bug#902409: fixed in devscripts 2.18.4

Date: Mon, 03 Sep 2018 21:04:11 +0000

Source: devscripts
Source-Version: 2.18.4

We believe that the bug you reported is fixed in the latest version of
devscripts, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 902409@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mattia Rizzolo <mattia@debian.org> (supplier of updated devscripts package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 03 Sep 2018 22:30:44 +0200
Source: devscripts
Binary: devscripts
Architecture: source
Version: 2.18.4
Distribution: unstable
Urgency: medium
Maintainer: Devscripts Maintainers <devscripts@packages.debian.org>
Changed-By: Mattia Rizzolo <mattia@debian.org>
Description:
 devscripts - scripts to make the life of a Debian Package maintainer easier
Closes: 895209 895279 900703 900963 902409 902815 902842 903479 903482 904432 904578 904659 907683
Changes:
 devscripts (2.18.4) unstable; urgency=medium
 .
   [ Mattia Rizzolo ]
   * debchange:
     + Replace implicit boolean evaluation of a Dpkg::Version object by
       Dpkg::Version::is_valid().  Closes: #900703
   * bts:
     + Add the new 'ftbfs' tag to the list of known tags.  Closes: #900963
   * grep-excuses:
     + Avoid unintended blessing during YAML loading.
       Thanks to Ansgar Burchardt <ansgar@debian.org> for reporting and
       providing a patch.  Closes: #902409; CVE-2018-13043
   * uscan:
     + Remove wrong information about GitHub releases.  Closes: #902842
   * test/test_uscan_ftp:
     + Skip test on hurd-i386, hurd is missing a required feature.  MR: !23
   * test/pylint:
     + Temporarily disable the test, as pylist is currently uninstallable,
       see #902631.
   * debian/control:
     + Comment-out build-dependency on pylint3.
     + Bump Standards-Version to 4.2.1, no changes needed.
 .
   [ Shengjing Zhu ]
   * uscan:
     + Fix wrong git log command in manpage.  MR:!16
 .
   [ Simon McVittie ]
   * tests/test_package_lifecycle:
     + Don't load ~/.devscripts while calling debdiff.  MR: !17
   * sadt:
     + Implement new restrictions from autopkgtest git master.  MR: !18
       - 'flaky': if this test fails, the failure is logged but is not
         counted as a failure.
       - 'skippable': if this test exits 77, it counts as skipped,
         not failed (even if it wrote to stderr).
   * uscan:
     + Handle absolute USCAN_DESTDIR correctly in git mode.
       Closes: #895279; MR: !14
 .
   [ Sean Whitton ]
   * git-deborig:  MR !19
     + When suggesting the user run git-deborig again with more arguments,
       include all the arguments the user originally passed in the
       suggestion.
 .
   [ James McCoy ]
   * grep-excuses:
     + Strip all HTML tags, not just anchors, from excuses.  MR !20
   * debsnap:
     + Disable explicit validity checking in Dpkg::Version constructor so
       there's an actual object to call is_valid() on.  Closes: #903479
 .
   [ Ian Jackson ]
   * grep-excuses:
     + Add --autopkgtest option to show autopkgtest failures in the target
       package which are caused by new versions of other packages.  MR !21
 .
   [ Lev Lazinskiy ]
   * uscan:
     + Handle --copy argument.  Closes: #895209; MR !22
 .
   [ Translation updates ]
   * French, thanks to jean-pierre giraud.  Closes: #902815
 .
   [ Kees Cook ]
   * hardening-check:
     + Drain both stdout/stderr while waiting for readelf to exit to prevent
       readelf from getting blocked on a full pipe.  Closes: #903482
 .
   [ Christoph Berg ]
   * namecheck: Drop code.google.com, it's down.
 .
   [ Adam D. Barratt ]
   * bts:
     + Support fetching bugs from debbugs.gnu.org:  Closes: #904432
       - Force CGI URL to be "/cgi/" rather than "/cgi-bin/" when using
         the gnu.org server.
       - Match both "/cgi/" and "/cgi-bin/" when rewriting URLs in cache
         files.
       - Allow links to mbox files to contain additional HTML attributes.
     + Pre-emptively support HTTPS URLs when parsing release-critical pages.
     + Really use HTTPS by default for bugs.debian.org.
 .
   [ Guillem Jover ]
   * debsnap:
     + Switch to HTTPS for connections to snapshot.debian.org.  Closes: #904659
 .
   [ Agustin Henze ]
   * uscan:
     + Use stricter match to find href attribute to avoid invalid URLs.
       Closes: #904578; MR !25
 .
   [ Jakub Wilk ]
   * rmadison:
     + Fix error handling to avoid having all curl/wget errors to be treated
       as SSL errors.  Closes: #907683
 .
   [ Javi Sabalete ]
   * debcommit:
     + Always use annotate tags with git.  MR: !24
Checksums-Sha1:
 19a354f820e82c1108e409c628445774f714b0f3 2725 devscripts_2.18.4.dsc
 262fe4dad54741a302452f0d47178d26f8a5de3a 740128 devscripts_2.18.4.tar.xz
 6a84efc05491fe9d3bd962108d4a5e441ffbef7c 10541 devscripts_2.18.4_amd64.buildinfo
Checksums-Sha256:
 7891c524d25daaf7b48f9bdb5c41b10c92e5c1fb3d86df8d10503950011d3b6b 2725 devscripts_2.18.4.dsc
 fcdbac262a2caa9e522cd762bb98b891e324001e70fee2b37083ff1be41faa3d 740128 devscripts_2.18.4.tar.xz
 3b1fa17c4d98eaf22915517cd1e0f6840e95ee537cb47d05dac584fba4033d8a 10541 devscripts_2.18.4_amd64.buildinfo
Files:
 1230febc4abbff39122bee4a3164bcb8 2725 devel optional devscripts_2.18.4.dsc
 ad0e98b60026b311b174c3a13bf9a3c4 740128 devel optional devscripts_2.18.4.tar.xz
 01cc2da0a3f638ca1d3e50f59fe8b403 10541 devel optional devscripts_2.18.4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAluNnJcACgkQCBa54Yx2
K607jRAApSYcQ0w7/IpnXteUSCZaSM3nS0MLvackGoKkGV+MeJIOGcjlQuxfdmmA
N9ielWWxwX7jtfx72Or83HUwlFAR3uzOlRLrUCuH/OQ60mPov/+QEl+33662nM6M
bHbdqYY+Rjx2SwdHnTXOi23ptxMTnJJGUx7uPGUAKKwTEqMpgGm67p+t0oeIPGx/
sOGrW/fXjsqak3XGXFJ4pNg8+dX00LxnlA+2Ntx0cF/LD5srZ6qPP4tkerpw/N5T
NJOK0mG6z9s2c24XwtEncQf5/yRv7eNWgNA7DBIYhoxXRXPCLdAojXGJENMTgk/v
Hp2k5X0Kt+OBdNK0W4mZ3WiirqfnfuMgG/TIXXuVn45wEGfS/xh6gVVD4neZWAcF
K8ReRYC9tu6wzJIh4EBaUHk0bDO14Gpp8nvCCe9H1Ri0jUAe38bLFNF4c0X9aiSw
YdsxEzKlwy/74r2Pm82Kv6XXqmFnbAMS7n9KyPTzbBQ6RN7rsv9Zbq44Pisg+Y/r
AU0tC2aKTXhTSQSnQxfiyaaYTSNfocWSePDs5pTPM+2goy1C7KHkcW7pnONEXfIM
4iCIUpHy2yuASs1y541pBK+HJeoVg37+Bip9C5tHdy9I+APjzx/qVmJWvHR+LUML
4ah09Fup41ObviEK39VTVZK8pq+BCxn767G2BvwU0kEElSrXDGA=
=MIjG
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.