-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 01 Jul 2015 12:20:06 +0200 Source: libmodule-signature-perl Binary: libmodule-signature-perl Architecture: source all Version: 0.63-1+squeeze2 Distribution: squeeze-lts Urgency: medium Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> Changed-By: Santiago Ruano Rincón <santiagorr@riseup.net> Description: libmodule-signature-perl - module to manipulate CPAN SIGNATURE files Changes: libmodule-signature-perl (0.63-1+squeeze2) squeeze-lts; urgency=medium . * Non-maintainer upload by the Squeeze LTS team. * Add CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch. CVE-2015-3406: Module::Signature parses the unsigned portion of the SIGNATURE file as the signed portion due to incorrect handling of PGP signature boundaries. CVE-2015-3407: Module::Signature incorrectly handles files that are not listed in the SIGNATURE file. This includes some files in the t/ directory that would execute when tests are run. CVE-2015-3408: Module::Signature uses two argument open() calls to read the files when generating checksums from the signed manifest, allowing to embed arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. * Add CVE-2015-3409.patch. CVE-2015-3409: Module::Signature incorrectly handles module loading allowing to load modules from relative paths in @INC. A remote attacker providing a malicious module could use this issue to execute arbitrary code during signature verification. Checksums-Sha1: ef5477c7a10b8a19981666b9fe2779ac2301892a 2196 libmodule-signature-perl_0.63-1+squeeze2.dsc 894e373ae7671d5d47c1c0995615cb79fc20dbe0 9376 libmodule-signature-perl_0.63-1+squeeze2.debian.tar.gz 7cf5802013e361d1899b38f5b0a67f41d77d53ec 29542 libmodule-signature-perl_0.63-1+squeeze2_all.deb Checksums-Sha256: 5329700977e8e60a1d9007b9030d128c4fcd2ab8c362a7847ec7d10178387b38 2196 libmodule-signature-perl_0.63-1+squeeze2.dsc cd71935c840ab57d16c961cd2ed5c04d20a26fdf0d9e5ae935c67591b21b08e3 9376 libmodule-signature-perl_0.63-1+squeeze2.debian.tar.gz a881b74db325c64da0c2466dfc9ba8c579c2b890793acf9e89411278b0dc0d62 29542 libmodule-signature-perl_0.63-1+squeeze2_all.deb Files: 021f433fc99b6c2dd497df8ce008b869 2196 perl optional libmodule-signature-perl_0.63-1+squeeze2.dsc 65c05bb6f3ad83707bf5d970d8993fef 9376 perl optional libmodule-signature-perl_0.63-1+squeeze2.debian.tar.gz cf964ac3a02d9a010568e4664c7f9efc 29542 perl optional libmodule-signature-perl_0.63-1+squeeze2_all.deb -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVk8tzAAoJEN5v/bjI1ki9t9kP/0QzUu8Bd1FLhrlh5rsOUduC ekd/nQ8IZB01YibpVSccCKhqslENIOnx6C8FAu6iNwIWZ/Ejd/QBnjYInm4j7beL I/uN3vXgOgcFhbDpUT7MS8nGVjczp2RC5wUdbqrGHTmhxT24bQ5RNrhIzDYEqUNu HYkwid0sY9IjPFjsrUp2AKV4W9EONSKnUOO2cPMX8uqTyLiNbOJ8Cx/Lsh7FnTRo hdR5kfbLXRbbfXfsa/YvIRwK03gOCOH1Ew2Ekr6FLsezFcvhiqkFfpKYPsxTD318 /xNF7t2QR1apit+O6u7hrqKp9BST2aggoXmQQtUXTc6sH3yGytCU0vAAzhatG2Ft tjh1yicUfJXdfEvrwQh/Z/YflBsahbxh/KKbplit4iAxKePVO82HmTw7AesN14/z F9TSV19x3TRhHs7ywneL3E2+rJ5MyKLM5AwAS0RYL7ec9tIc6FSo2sgzb/Tc+iJF OuPZH77A65SNSBZr8ffunztjuIdb3CkUCgSh6Wdq6g2518wFIiNyaKxq/47782KA AViaZT+LyFcJZszQrZVj/zj7R14hpg+i/QZ4dsHDevZxEN/p4m7jM0ppLvZ2b+YZ 5FiD2KoEmdNapdMu0lFgrnLI8qZ1D7Hr8dh9Gc1bVB3AqBEfrUpxDTVS4jeFVGFw +dzyAppbhJWhE0+bkhFm =DK6S -----END PGP SIGNATURE-----