-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 14 May 2015 17:35:32 +0200 Source: libmodule-signature-perl Binary: libmodule-signature-perl Architecture: source all Version: 0.68-1+deb7u2 Distribution: wheezy-security Urgency: high Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <carnil@debian.org> Description: libmodule-signature-perl - module to manipulate CPAN SIGNATURE files Closes: 783451 Changes: libmodule-signature-perl (0.68-1+deb7u2) wheezy-security; urgency=high . * Team upload. * Add CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch patch. CVE-2015-3406: Module::Signature parses the unsigned portion of the SIGNATURE file as the signed portion due to incorrect handling of PGP signature boundaries. CVE-2015-3407: Module::Signature incorrectly handles files that are not listed in the SIGNATURE file. This includes some files in the t/ directory that would execute when tests are run. CVE-2015-3408: Module::Signature uses two argument open() calls to read the files when generating checksums from the signed manifest, allowing to embed arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. (Closes: #783451) * Add CVE-2015-3409.patch patch. CVE-2015-3409: Module::Signature incorrectly handles module loading allowing to load modules from relative paths in @INC. A remote attacker providing a malicious module could use this issue to execute arbitrary code during signature verification. (Closes: #783451) * Add Fix-signature-tests.patch patch. Fix signature tests by defaulting to verify(skip=>1) when $ENV{TEST_SIGNATURE} is true. Checksums-Sha1: a66efd7d66a0864beee6eda77cf094000b77891f 2242 libmodule-signature-perl_0.68-1+deb7u2.dsc d7d640650d6917e30d46d50b9d8806c7abf88a6e 76485 libmodule-signature-perl_0.68.orig.tar.gz 0b29fb6e303e2aba8850a15991e2ecd189d97c5f 10160 libmodule-signature-perl_0.68-1+deb7u2.debian.tar.gz 032c38a36857e7f6cd86e96d3fc627da4c65a48a 31432 libmodule-signature-perl_0.68-1+deb7u2_all.deb Checksums-Sha256: fa89b1243e1763f9ba9c4c2cdcfcf6c5baeef33173ef69ea783b9ac0e34b3ddc 2242 libmodule-signature-perl_0.68-1+deb7u2.dsc 623d7d8d26dceac49b043f5bc2d83eea95d6dd75bf09200a6631180774c8eb5f 76485 libmodule-signature-perl_0.68.orig.tar.gz cbcb8610024bd53fa814bdda96a2c0d912ed8d36b120ac93738e64a5ac883afe 10160 libmodule-signature-perl_0.68-1+deb7u2.debian.tar.gz d86bdbf028ab12dac67fcad53787fead8a8314294b68c6758dbb084acf8979d2 31432 libmodule-signature-perl_0.68-1+deb7u2_all.deb Files: 5f306a3659e34b656847b55ec3a5c3d6 2242 perl optional libmodule-signature-perl_0.68-1+deb7u2.dsc c63c0b5c4e7162fc0c44512e1f832e5e 76485 perl optional libmodule-signature-perl_0.68.orig.tar.gz f814d419a26b7d3e5160d48e69cdd4ab 10160 perl optional libmodule-signature-perl_0.68-1+deb7u2.debian.tar.gz a232a8c294fe64680f34724327442b50 31432 perl optional libmodule-signature-perl_0.68-1+deb7u2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVVM9tAAoJEAVMuPMTQ89E0JIP/Rrmo5wjrqqPUyEEqXqbOAK6 c5l54hFsmvQez5r+visFrfRzjQXo6kFnoCLsdy8dMfLGSdYK1lpFtSGtfscvBKQO LxoC0nHpWlss+6Ok7grI1tIdO01nthoE4QfbN+0yWo5GVRlR+FwLwmkQ6FzhomOE 0nJA7fohx02cHC01pMXvbDpgUyaUIjyUdidXeOtawL4xZDWL0UqKxrBtzeZcJDZY 2qhAeT/tmpNUb3zZBCAi75FZRvx6BsqFwDqMjeTaw6WiWcvytpD8V9qXUnyNuCY8 pnARe3s+O9iXDw4F+IeO3Jz1RmW/bIs7kS+68bIjSdfsereBaQj0CdXrsWdW2tFB LlJZyGOtLpawgBOuJ3L0JAhF8ml8ohUYPSp9dreOUuYlF6ecwm0O/4R89Hdp///L A/GMs3K0NXCRiTgnFUUB0eO2YF//HJpobDqYQdIUo8URH6VXhs+MN9xaVCqgMKon HLzZbWmRwS1vufFxopOO8xc0T2jPYxmHRw2olcxdiG7xgjAioqa9qyRQtvIJ6Si1 gR3qWJeMK/aFUr8+j6HIQ0JASCtB2q+SPc/VTr851oV4C+VC5HXUkKaVT2IfuIo0 G0xS08iwZV+ysHgfuKzfcFiZ4+HQ5UFbm7J6kUoXm106cFJqTHCxV/4dfnyd22aD d/Fdb4SbY91/FBGi5vuD =pGAN -----END PGP SIGNATURE-----
