Bug 10558

Hi David,

thanks for the report. Updates pushed to Mageia 2, Mageia 3 and Mageia Cauldron:

http://pkgsubmit.mageia.org/

Regards,

-- Shlomi Fish

Thanks Shlomi!

If anyone wants to provide a more descriptive CVE summary, feel free :o)

More info is here:
http://openwall.com/lists/oss-security/2013/06/05/16

Advisory:
========================

Updated perl-Module-Signature package fixes security vulnerability:

Arbitrary code execution vulnerability in Module::Signature before 0.72
(CVE-2013-2145).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2145
https://lists.fedoraproject.org/pipermail/package-announce/2013-June/109387.html
========================

Updated packages in core/updates_testing:
========================
perl-Module-Signature-0.730.0-1.mga2
perl-Module-Signature-0.730.0-1.mga3

from SRPMS:
perl-Module-Signature-0.730.0-1.mga2.src.rpm
perl-Module-Signature-0.730.0-1.mga3.src.rpm

CC: (none) => jquelin
Version: Cauldron => 3
Assignee: jquelin => qa-bugs
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Testing complete MGA2 x86_64

Here is my testing procedure:

As root:

1) install perl-Module-Signature
2) as root, create /usr/lib/perl5/vendor_perl/{your_version}/Digest/Special.pm

# cat Special.pm
system("touch /tmp/evilFile");

As a normal user:

1) make sure you already have a gpg key as your normal user, or create one with gpg --gen-key
2) rm -f /tmp/evilFile #justInCase
3) Then:
$ mkdir test-signature
$ cd test-signature
$ vim MANIFEST
$ cat MANIFEST
MANIFEST
$ cpansign sign
[...]
$ ls
MANIFEST  SIGNATURE
$ cat SIGNATURE 
This file contains message digests of all files listed in MANIFEST,
signed via the Module::Signature module, version 0.68.

To verify the content in this distribution, first make sure you have
Module::Signature installed, then type:

    % cpansign -v

It will check each file's integrity, as well as the signature's
validity.  If "==> Signature verified OK! <==" is not displayed,
the distribution may already have been compromised, and you should
not run its Makefile.PL or Build.PL.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SHA1 a852db4db68bb42ec01d35714ccfd4c299948d0e MANIFEST
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJRyZLoAAoJEADHAciX3Qg1se0H/RSnw9Eu8ERwVc0NjhqCWcOz
XhcFUcsiWuIlKRu5tvEI0TtGUCOsgg0uHGHKdy8955XLFNQtcyb6MmyjxV04LGDu
o/hbarrnnzNVnFO14ECwmm6cl3X6CplJd4IWps9IeTPkFyqGiJiSgXkbG7Nopw14
15LNkFozqhy11F5CfkgoUDr7mn73AEsFi6beoTZi+Q2m1bdvvkPCSQy9d0sFPibS
tlXje2+tvzfo0jWQrefyWiA5Z9I9wTZyDfWBb06Sk5pYcoocGthgJbyl2ykgt7D7
7MKRL3c6XMNIXgkGqNfSJuNRCqfbjtN6LSqcW5sut+5ZTz1h5AAzeO7bQwcUAw4=
=lX23
-----END PGP SIGNATURE-----


Now we will alter this signature file, changing the "SHA1 a852db4db68bb42ec01d35714ccfd4c299948d0e MANIFEST" line

[samuel.verschelde@tech009 test-signature]$ vim SIGNATURE
[samuel.verschelde@tech009 test-signature]$ cat SIGNATURE
This file contains message digests of all files listed in MANIFEST,
signed via the Module::Signature module, version 0.68.

To verify the content in this distribution, first make sure you have
Module::Signature installed, then type:

    % cpansign -v

It will check each file's integrity, as well as the signature's
validity.  If "==> Signature verified OK! <==" is not displayed,
the distribution may already have been compromised, and you should
not run its Makefile.PL or Build.PL.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Special a852db4db68bb42ec01d35714ccfd4c299948d0e MANIFEST
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJRyZLoAAoJEADHAciX3Qg1se0H/RSnw9Eu8ERwVc0NjhqCWcOz
XhcFUcsiWuIlKRu5tvEI0TtGUCOsgg0uHGHKdy8955XLFNQtcyb6MmyjxV04LGDu
o/hbarrnnzNVnFO14ECwmm6cl3X6CplJd4IWps9IeTPkFyqGiJiSgXkbG7Nopw14
15LNkFozqhy11F5CfkgoUDr7mn73AEsFi6beoTZi+Q2m1bdvvkPCSQy9d0sFPibS
tlXje2+tvzfo0jWQrefyWiA5Z9I9wTZyDfWBb06Sk5pYcoocGthgJbyl2ykgt7D7
7MKRL3c6XMNIXgkGqNfSJuNRCqfbjtN6LSqcW5sut+5ZTz1h5AAzeO7bQwcUAw4=
=lX23
-----END PGP SIGNATURE-----

Now we run cpansign to verify the signature, thus tricking cpansign into executing our Special.pm evil script.

[samuel.verschelde@tech009 test-signature]$ cpansign
Unknown cipher: Special, please install Digest::Special
Can't call method "add" on an undefined value at /usr/lib/perl5/vendor_perl/5.12.3/Module/Signature.pm line 601, <F> chunk 1.

There are errors, because I haven't created a proper Special.rpm script, but this is enough for the test because:

[samuel.verschelde@tech009 test-signature]$ ls /tmp/evilFile
/tmp/evilFile

The evil action has worked.


Then install the update candidate, remove /tmp/evilFile, run cpansign again in the appropriate directory, see that it hasn't created the evilFile. Then don't forget to remove that Special.pm you created.

$ cpansign
Malformed algorithm name: Special (should match /\w+\d+/) at /usr/lib/perl5/vendor_perl/5.14.2/Module/Signature.pm line 541.

Whiteboard: MGA2TOO => MGA2TOO has_procedure MGA2-64-OK

Testing complete on Mageia 3 i586, following Stormi's procedure in comment 3.
That's nice for once, to be able to reproduce a security vulnerabity :)

Whiteboard: MGA2TOO has_procedure MGA2-64-OK => MGA2TOO has_procedure MGA2-64-OK MGA3-32-OK

Testing complete on Mageia 2 i586.

Whiteboard: MGA2TOO has_procedure MGA2-64-OK MGA3-32-OK => MGA2TOO has_procedure MGA2-32-OK MGA2-64-OK MGA3-32-OK

testing mga3 64

Testing complete mga3 64

Thanks for the procedure Samuel.

Validating. Advisory uploaded.

Could sysadmin please push from 2 & 3 core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure MGA2-32-OK MGA2-64-OK MGA3-32-OK => MGA2TOO has_procedure MGA2-32-OK MGA2-64-OK MGA3-32-OK mga3-64-ok
CC: (none) => sysadmin-bugs

http://advisories.mageia.org/MGASA-2013-0184.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED