CVEs have been requested for security issues fixed in Module::Signature 0.75: http://openwall.com/lists/oss-security/2015/04/07/1 Mageia 4 and Mageia 5 are affected. Reproducible: Steps to Reproduce:
CC: (none) => mageiaWhiteboard: (none) => MGA5TOO, MGA4TOO
I have uploaded a patched package for Mageia 4 and there is one waiting to be submitted into cauldron too. I have no idea how to test this. Suggested advisory: ======================== Updated perl-Module-Signature package fixes the following security vulnerabilities reported by John Lightsey: - Module::Signature could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries. - When verifying the contents of a CPAN module, Module::Signature ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would execute automatically during "make test" - When generating checksums from the signed manifest, Module::Signature used two argument open() calls to read the files. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. - Several modules were loaded at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a malicious module so that they would load from the '.' path in @INC. References: http://openwall.com/lists/oss-security/2015/04/07/1 ======================== Updated packages in core/updates_testing: ======================== perl-Module-Signature-0.730.0-2.1.mga4 Source RPM: perl-Module-Signature-0.730.0-2.1.mga4.src.rpm
Hardware: i586 => All
perl-Module-Signature-0.730.0-5.mga5 uploaded for Cauldron. Thanks Sander!
Version: Cauldron => 4Assignee: jquelin => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
Testing procedure from a previous update in 2013: https://bugs.mageia.org/show_bug.cgi?id=10558#c3 It was meant to test a POC but should be enough to qualify as basic test for this package.
CC: (none) => stormiWhiteboard: (none) => has_procedure
PoC tested fine on a MGA4-x86-64 VBox VM. Should I also test on MGA4-i586 or is it OK because it's a pure-Perl module?
CC: (none) => shlomifWhiteboard: has_procedure => MGA4-64-OK has_procedure
We should at least ensure it updates cleanly on both arches Shlomi please
(In reply to claire robinson from comment #5) > We should at least ensure it updates cleanly on both arches Shlomi please It does. Did a «urpmi perl-Module-Signature» from updates (on MGA4-i586) and then from updates_testing and it works fine. Also worked fine on MGA4-x86-64.
Advisory uploaded. David do you want to add any CVE's before validating?
Whiteboard: MGA4-64-OK has_procedure => MGA4-64-OK has_procedure mga4-32-ok advisory
Thanks Claire. I'd like to, but the CVE request was never answered.
Okey dokes. Validating then. Please push to 4 updates Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0160.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CVE assignment: http://openwall.com/lists/oss-security/2015/04/23/17 Suggested advisory: ======================== Updated perl-Module-Signature package fixes security vulnerabilities: Module::Signature could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries (CVE-2015-3406). When verifying the contents of a CPAN module, Module::Signature ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would execute automatically during "make test" (CVE-2015-3407). When generating checksums from the signed manifest, Module::Signature used two argument open() calls to read the files. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process (CVE-2015-3408). Several modules were loaded at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a malicious module so that they would load from the '.' path in @INC (CVE-2015-3409). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3406 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3407 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3408 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3409 http://openwall.com/lists/oss-security/2015/04/23/17
Summary: perl-Module-Signature new security issues fixed in 0.75 => perl-Module-Signature new security issues fixed in 0.75 (CVE-2015-340[6-9])
URL: (none) => http://lwn.net/Vulnerabilities/644047/