Version in base suite: 0.86+ds-1 Base version: libyaml-libyaml-perl_0.86+ds-1 Target version: libyaml-libyaml-perl_0.86+ds-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/liby/libyaml-libyaml-perl/libyaml-libyaml-perl_0.86+ds-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/liby/libyaml-libyaml-perl/libyaml-libyaml-perl_0.86+ds-1+deb12u1.dsc changelog | 7 +++++ patches/Use-3-arg-form-of-open-in-LoadFile.patch | 31 +++++++++++++++++++++++ patches/series | 1 3 files changed, 39 insertions(+) diff -Nru libyaml-libyaml-perl-0.86+ds/debian/changelog libyaml-libyaml-perl-0.86+ds/debian/changelog --- libyaml-libyaml-perl-0.86+ds/debian/changelog 2023-01-30 19:54:32.000000000 +0000 +++ libyaml-libyaml-perl-0.86+ds/debian/changelog 2025-06-01 19:07:59.000000000 +0000 @@ -1,3 +1,10 @@ +libyaml-libyaml-perl (0.86+ds-1+deb12u1) bookworm; urgency=medium + + * Team upload. + * Use 3-arg form of open in LoadFile (CVE-2025-40908) + + -- Salvatore Bonaccorso Sun, 01 Jun 2025 21:07:59 +0200 + libyaml-libyaml-perl (0.86+ds-1) unstable; urgency=medium * Import upstream versions 0.85+ds, 0.86+ds. diff -Nru libyaml-libyaml-perl-0.86+ds/debian/patches/Use-3-arg-form-of-open-in-LoadFile.patch libyaml-libyaml-perl-0.86+ds/debian/patches/Use-3-arg-form-of-open-in-LoadFile.patch --- libyaml-libyaml-perl-0.86+ds/debian/patches/Use-3-arg-form-of-open-in-LoadFile.patch 1970-01-01 00:00:00.000000000 +0000 +++ libyaml-libyaml-perl-0.86+ds/debian/patches/Use-3-arg-form-of-open-in-LoadFile.patch 2025-06-01 19:07:59.000000000 +0000 @@ -0,0 +1,31 @@ +From: =?UTF-8?q?Tina=20M=C3=BCller?= +Date: Wed, 29 Jan 2025 21:17:28 +0100 +Subject: Use 3-arg form of open in LoadFile +Origin: https://github.com/ingydotnet/yaml-libyaml-pm/commit/5fe9daed726c06900c3cd41a739460057bec6dc3 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-40908 + +Fixes https://github.com/ingydotnet/yaml-libyaml-pm/issues/120 + +Otherwise `$filename = ">file.yaml"; LoadFile($filename)` will truncate a file. + +One should check untrusted filenames in any case, though. +--- + lib/YAML/XS.pm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/YAML/XS.pm b/lib/YAML/XS.pm +index 66ff5bac7d15..e8df694dd51e 100644 +--- a/lib/YAML/XS.pm ++++ b/lib/YAML/XS.pm +@@ -54,7 +54,7 @@ sub LoadFile { + $IN = $filename; + } + else { +- open $IN, $filename ++ open $IN, '<', $filename + or die "Can't open '$filename' for input:\n$!"; + } + return YAML::XS::LibYAML::Load(do { local $/; local $_ = <$IN> }); +-- +2.49.0 + diff -Nru libyaml-libyaml-perl-0.86+ds/debian/patches/series libyaml-libyaml-perl-0.86+ds/debian/patches/series --- libyaml-libyaml-perl-0.86+ds/debian/patches/series 2023-01-30 19:54:32.000000000 +0000 +++ libyaml-libyaml-perl-0.86+ds/debian/patches/series 2025-06-01 19:07:59.000000000 +0000 @@ -1 +1,2 @@ system-libyaml.patch +Use-3-arg-form-of-open-in-LoadFile.patch