| Summary: | perl-Module-Signature new security issues fixed in 0.75 (CVE-2015-340[6-9]) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | mageia, shlomif, stormi-mageia, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/644047/ | ||
| Whiteboard: | MGA4-64-OK has_procedure mga4-32-ok advisory | ||
| Source RPM: | perl-Module-Signature-0.730.0-4.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-04-07 13:24:59 CEST
David Walser
2015-04-07 13:25:11 CEST
CC:
(none) =>
mageia I have uploaded a patched package for Mageia 4 and there is one waiting to be submitted into cauldron too. I have no idea how to test this. Suggested advisory: ======================== Updated perl-Module-Signature package fixes the following security vulnerabilities reported by John Lightsey: - Module::Signature could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries. - When verifying the contents of a CPAN module, Module::Signature ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would execute automatically during "make test" - When generating checksums from the signed manifest, Module::Signature used two argument open() calls to read the files. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. - Several modules were loaded at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a malicious module so that they would load from the '.' path in @INC. References: http://openwall.com/lists/oss-security/2015/04/07/1 ======================== Updated packages in core/updates_testing: ======================== perl-Module-Signature-0.730.0-2.1.mga4 Source RPM: perl-Module-Signature-0.730.0-2.1.mga4.src.rpm Hardware:
i586 =>
All perl-Module-Signature-0.730.0-5.mga5 uploaded for Cauldron. Thanks Sander! Version:
Cauldron =>
4 Testing procedure from a previous update in 2013: https://bugs.mageia.org/show_bug.cgi?id=10558#c3 It was meant to test a POC but should be enough to qualify as basic test for this package. CC:
(none) =>
stormi PoC tested fine on a MGA4-x86-64 VBox VM. Should I also test on MGA4-i586 or is it OK because it's a pure-Perl module? CC:
(none) =>
shlomif We should at least ensure it updates cleanly on both arches Shlomi please (In reply to claire robinson from comment #5) > We should at least ensure it updates cleanly on both arches Shlomi please It does. Did a «urpmi perl-Module-Signature» from updates (on MGA4-i586) and then from updates_testing and it works fine. Also worked fine on MGA4-x86-64. Advisory uploaded. David do you want to add any CVE's before validating? Whiteboard:
MGA4-64-OK has_procedure =>
MGA4-64-OK has_procedure mga4-32-ok advisory Thanks Claire. I'd like to, but the CVE request was never answered. Okey dokes. Validating then. Please push to 4 updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0160.html Status:
NEW =>
RESOLVED CVE assignment: http://openwall.com/lists/oss-security/2015/04/23/17 Suggested advisory: ======================== Updated perl-Module-Signature package fixes security vulnerabilities: Module::Signature could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries (CVE-2015-3406). When verifying the contents of a CPAN module, Module::Signature ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would execute automatically during "make test" (CVE-2015-3407). When generating checksums from the signed manifest, Module::Signature used two argument open() calls to read the files. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process (CVE-2015-3408). Several modules were loaded at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a malicious module so that they would load from the '.' path in @INC (CVE-2015-3409). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3406 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3407 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3408 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3409 http://openwall.com/lists/oss-security/2015/04/23/17 Summary:
perl-Module-Signature new security issues fixed in 0.75 =>
perl-Module-Signature new security issues fixed in 0.75 (CVE-2015-340[6-9])
David Walser
2015-05-12 19:09:33 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/644047/ |