Version in base suite: 0.86+ds-1

Base version: libyaml-libyaml-perl_0.86+ds-1
Target version: libyaml-libyaml-perl_0.86+ds-1+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/liby/libyaml-libyaml-perl/libyaml-libyaml-perl_0.86+ds-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/liby/libyaml-libyaml-perl/libyaml-libyaml-perl_0.86+ds-1+deb12u1.dsc

 changelog                                        |    7 +++++
 patches/Use-3-arg-form-of-open-in-LoadFile.patch |   31 +++++++++++++++++++++++
 patches/series                                   |    1 
 3 files changed, 39 insertions(+)

diff -Nru libyaml-libyaml-perl-0.86+ds/debian/changelog libyaml-libyaml-perl-0.86+ds/debian/changelog
--- libyaml-libyaml-perl-0.86+ds/debian/changelog	2023-01-30 19:54:32.000000000 +0000
+++ libyaml-libyaml-perl-0.86+ds/debian/changelog	2025-06-01 19:07:59.000000000 +0000
@@ -1,3 +1,10 @@
+libyaml-libyaml-perl (0.86+ds-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * Use 3-arg form of open in LoadFile (CVE-2025-40908)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 01 Jun 2025 21:07:59 +0200
+
 libyaml-libyaml-perl (0.86+ds-1) unstable; urgency=medium
 
   * Import upstream versions 0.85+ds, 0.86+ds.
diff -Nru libyaml-libyaml-perl-0.86+ds/debian/patches/Use-3-arg-form-of-open-in-LoadFile.patch libyaml-libyaml-perl-0.86+ds/debian/patches/Use-3-arg-form-of-open-in-LoadFile.patch
--- libyaml-libyaml-perl-0.86+ds/debian/patches/Use-3-arg-form-of-open-in-LoadFile.patch	1970-01-01 00:00:00.000000000 +0000
+++ libyaml-libyaml-perl-0.86+ds/debian/patches/Use-3-arg-form-of-open-in-LoadFile.patch	2025-06-01 19:07:59.000000000 +0000
@@ -0,0 +1,31 @@
+From: =?UTF-8?q?Tina=20M=C3=BCller?= <cpan2@tinita.de>
+Date: Wed, 29 Jan 2025 21:17:28 +0100
+Subject: Use 3-arg form of open in LoadFile
+Origin: https://github.com/ingydotnet/yaml-libyaml-pm/commit/5fe9daed726c06900c3cd41a739460057bec6dc3
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-40908
+
+Fixes https://github.com/ingydotnet/yaml-libyaml-pm/issues/120
+
+Otherwise `$filename = ">file.yaml"; LoadFile($filename)` will truncate a file.
+
+One should check untrusted filenames in any case, though.
+---
+ lib/YAML/XS.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/YAML/XS.pm b/lib/YAML/XS.pm
+index 66ff5bac7d15..e8df694dd51e 100644
+--- a/lib/YAML/XS.pm
++++ b/lib/YAML/XS.pm
+@@ -54,7 +54,7 @@ sub LoadFile {
+         $IN = $filename;
+     }
+     else {
+-        open $IN, $filename
++        open $IN, '<', $filename
+           or die "Can't open '$filename' for input:\n$!";
+     }
+     return YAML::XS::LibYAML::Load(do { local $/; local $_ = <$IN> });
+-- 
+2.49.0
+
diff -Nru libyaml-libyaml-perl-0.86+ds/debian/patches/series libyaml-libyaml-perl-0.86+ds/debian/patches/series
--- libyaml-libyaml-perl-0.86+ds/debian/patches/series	2023-01-30 19:54:32.000000000 +0000
+++ libyaml-libyaml-perl-0.86+ds/debian/patches/series	2025-06-01 19:07:59.000000000 +0000
@@ -1 +1,2 @@
 system-libyaml.patch
+Use-3-arg-form-of-open-in-LoadFile.patch