# Bugs lintian : #861958 insecure YAML validation [CVE-2017-8829] libyaml-libyaml-perl: #862373 Unconditionally instantiates objects from yaml data https://github.com/ingydotnet/yaml-libyaml-pm/issues/45 libyaml-syck-perl: #862475 Unconditionally instantiates objects from yaml data libyaml-perl: #(not filed yet) https://github.com/ingydotnet/yaml-pm/issues/176 # Criterion Module instantiates objects from yaml where that data origins from an external source. Rule of thumb: Unless an application wrote that data on its own, it should be considered potentially harmful. It's harmless though, if root privileges are required to inject dangerous yaml. Dangerous example: lintian as above, reads yaml from external Debian source packages Safe example: git-svn, uses yaml as a local storage # Perl modules that parse YAML and might show the same behaviour TODO: Find more * libcpan-meta-yaml-perl [0.018-1] OKAY: Module refuses to load yaml: | CPAN::Meta::YAML does not support a feature in line '!File::Temp::Dir' (Derived from YAML::Tiny) * libyaml-libyaml-perl - Perl interface to libyaml, a YAML implementation [0.63-2] - CONFIRMED * libyaml-perl - YAML Ain't Markup Language [1.21-1] - CONFIRMED (needs a slightly different input) * libyaml-syck-perl - Perl module providing a fast, lightweight YAML loader and dumper [1.29-1+b2] - CONFIRMED - there are two formats supported, the reader for one is buggy (needs an intentional typo in the class name) - the other format is used the Dump method, so there might be code that uses that feature. - Behaviour can be toggled by LoadBlessed - According to codesearch, no Debian package uses it - The wheezy version [1.20-1] needs an extra check here since upstream changed the behaviour afterwards * libyaml-tiny-perl - Perl module for reading and writing YAML files [1.70-1] OKAY: Module refuses to load yaml: | YAML::Tiny does not support a feature in line '!File::Temp::Dir' # Versions ## libyaml-libyaml-perl * wheezy: 0.38-3+deb7u3 * jessie: 0.41-6 * stretch: 0.63-2 * sid: 0.63-2 ## libyaml-syck-perl * wheezy: 1.20-1 * jessie: 1.27-2 * stretch: 1.29-1 * sid: 1.29-1 ## libyaml-perl * wheezy: 0.81-1 * jessie: 1.13-1 * stretch: 1.21-1 * sid: 1.21-1 # Possible solutions ## Shoot first, ask questions later Disable instatiation globally and release updated packages to all Debian distributions. Then wait for any bug reports about regressions. ## Carefully check first Do a review of all packages that rely on the affected ones to make sure nothing breaks. Especially, *if* any package actually needs the instatiation, use a more sophisticated approach to deal with the problem. The following is about the latter approach. # Packages that mention libconfig-any-perl, libyaml-libyaml-perl, or libyaml-syck-perl For each package: - "load": Does it read yaml from an unsafe source (mostly for the records)? - "bless": Does it use the instatiation feature (very likely not)? [] * aptly [237] - FP, test data only * botch [10] - FP, test data only * boxer [10] - unsure, runs Load() on "reclass" output (lib/Boxer/Task/Classify.pm) * cbmc [54] - FP, data only * cbmc [17417] - very likely test data only * ciderwebmail [16] - recheck needed, configuration loader only * cipux [10] * debian-cd [275] - FP, popcon data copy only * devscripts [13134] ! "load": transition-check.pl loads data provided by http://ftp-master.debian.org/testing/hints/transitions.yaml * dh-make-perl [1709] - configuration loader only * dpmb [17] - FP, log file only * duck [114] ! "load" on "upstream metadata file" lib/checks/upstream_metadata.pm * ikiwiki [403] ! "load" (very likely), might parse yaml entered on a wiki page - BROKEN by patched libyaml-perl * ikiwiki-hosting [22] * ledgersmb [18] * libapp-perlrdf-command-query-perl [5] - uses Dump only * libbot-basicbot-pluggable-perl [7] - re-check needed, build-dependency only * libcatalyst-action-rest-perl [4] - re-check needed, used in the test suite only * libcatalyst-controller-html-formfu-perl [92] * libcatalyst-modules-perl [129] * libcatalyst-plugin-configloader-perl [102] * libcatalyst-plugin-scheduler-perl [7] * libcatmandu-marc-perl [10] - re-check needed * libcatmandu-perl [22] - re-check needed * libcatmandu-sru-perl [3] * libcgi-formbuilder-source-yaml-perl [11] * libcgi-session-serialize-yaml-perl [211] - dumps and loads its own state only - actual storage is left to the caller - BROKEN by patched libyaml-syck-perl - BROKEN by patched libyaml-perl * libconfig-any-perl [1839] ! "load", check *all* packages that depend on this one (they are part of this list) * libconfig-jfdi-perl [39] * libconfig-merge-perl [36] * libconfig-onion-perl [37] * libconfig-pit-perl [15] * libdancer-perl - BROKEN by patched libyaml-perl * libdancer2-perl [129] * libdata-serializer-perl [373] - dumps and loads its own state only - actual storage is left to the caller - BROKEN by patched libyaml-syck-perl - BROKEN by patched libyaml-perl * libdate-manip-perl [23899] - config loader only * libdbix-class-perl [1245] - recheck needed, probably config file loader only * libdbix-class-schema-config-perl [4] * libdbix-class-schema-loader-perl [376] - re-check needed, might use safe YAML modules only * libdpkg-log-perl [7] * libept [122849] - FP, test data only * libhtml-formfu-model-dbic-perl [25] * libhtml-formfu-perl [149] * libhtml-formhandler-perl [41] * libhttp-browserdetect-perl [84] * libinline-c-perl [808] - build dependency only * libjifty-dbi-perl [18] * libjson-any-perl [1239] * libjson-validator-perl [107] * libkiokudb-backend-dbi-perl [7] * libkiokudb-perl [7] * liblog-dispatch-configurator-any-perl [47] * libmessage-passing-perl [13] * libmodule-depends-perl [1485] - seems to use Parse::CPAN::Meta only * libmoosex-app-perl [10] * libmoosex-simpleconfig-perl [22] * libmoosex-storage-perl [140] * libmoosex-yaml-perl [24] - BROKEN by patched libyaml-syck-perl - BROKEN by patched libyaml-perl * libmoox-configfromfile-perl [293] * libpar-dist-perl [700] ! "load", re-check needed, operates on external data * libpegex-perl [813] - build-depends only * libpoet-perl [5] - re-check needed, probably config file loader only * libregexp-debugger-perl [29] * librose-db-perl [71] * libscrappy-perl [10] * libsharyanto-utils-perl [5] * libtask-kensho-perl [183] - (why did this make it onto this list) * libtest-bdd-cucumber-perl [11] * libtest-cpan-meta-yaml-perl [44] - * libtest-yaml-valid-perl [218] * libtm-perl [7] - "load" (quite likey through users of that module) * libvitacilina-perl [2] * libwx-perl-datawalker-perl [36] * libxxx-perl [19] - re-check needed, probably just dumps data * libyaml-shell-perl - re-check needed, might be hard to assess * license-reconcile [92] - No code found - According to documentation, YAML is used for additional configuration * lintian ! "load" #861958 * nagios-plugins-contrib [4689] - configuration loader (nagios-check-libs) - check_rbl uses YAML::Tiny * oar [103] - re-check needed, where comes the data from import_data uses? * pcp [69] - Possibly just config loader, re-check src/pmdas/nutcracker/pmdanutcracker.pl * pkg-perl-tools [83] ! "load": scripts/forward * pkwalify [9] - configuration loader - BROKEN by patched libyaml-syck-perl * shelldap [197] - configuration loader * txt2html [863] - recheck needed: Claims to use Y:Syck for debugging only * umegaya [3] ! "load": cgi-bin/umegaya # Notice to upstream [ Sent to YAML-Sync, yaml-pm and yaml-libyaml-pm maintainers ] Dear maintainer, unfortunately, your module happily blesses YAML data read from an untrusted source, providing a vector for attacks based on a classes' DESTROY method, and probably more. [URLs of bug reports?] The Debian Perl Group plans to address this issue by adding a switch that toggles that blessing behaviour, and the default is set to OFF. That would guard vulnerable applications against attacks but still allows blessing to work in the rare cases it's really needed. For Debian, we will take care of the affected packages as well. Another design goal of this switch was to make it implementation- agnostic, since quite a few applications and libraries probe for several YAML loaders and pick the first availabe. Therefore we chose an environment variable called "PERL_USE_UNSAFE_YAML". If set to a true value, your module will behave in the old way. Find below the patch we will apply in Debian. We would appreciate if you could add it to your module as well. (or the other way round?)