Hi On Mon, Jun 17, 2013 at 08:31:20PM +0200, Salvatore Bonaccorso wrote: > Attached is the proposed debdiff. I can remove the debian/gbp.conf > part (which I have added for handling in the pkg-perl git repos, but > can be ommited).
Attached the debdiff without the debian/gbp.conf. Better to leave that out and only apply the patch for CVE-2013-2145 :) Regards, Salvatore
diff -Nru libmodule-signature-perl-0.68/debian/changelog libmodule-signature-perl-0.68/debian/changelog --- libmodule-signature-perl-0.68/debian/changelog 2011-05-14 14:57:44.000000000 +0200 +++ libmodule-signature-perl-0.68/debian/changelog 2013-06-19 17:56:25.000000000 +0200 @@ -1,3 +1,12 @@ +libmodule-signature-perl (0.68-1+deb7u1) wheezy; urgency=low + + * Team upload. + * Add CVE-2013-2145.patch. + CVE-2013-2145: Fixes arbitrary code execution when verifying SIGNATURE. + (Closes: #711239) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 16 Jun 2013 22:51:28 +0200 + libmodule-signature-perl (0.68-1) unstable; urgency=low [ Jotam Jr. Trejo ] diff -Nru libmodule-signature-perl-0.68/debian/patches/CVE-2013-2145.patch libmodule-signature-perl-0.68/debian/patches/CVE-2013-2145.patch --- libmodule-signature-perl-0.68/debian/patches/CVE-2013-2145.patch 1970-01-01 01:00:00.000000000 +0100 +++ libmodule-signature-perl-0.68/debian/patches/CVE-2013-2145.patch 2013-06-19 17:56:25.000000000 +0200 @@ -0,0 +1,46 @@ +Description: Fix CVE-2013-2145 + Fix arbitrary code execution when verifying SIGNATURE +Origin: upstream, commit:575f7bd6ba4cc7c92f841e8758f88a131674ebf2, commit:cbd06b392a73c63159dc5c20ff5b3c8fc88c4896, commit:8ff56de7668ff60fbc1afe5b965a3c865662dd24 +Bug-Debian: http://bugs.debian.org/711239 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2013-06-16 +Applied-Upstream: 0.73 + +--- a/lib/Module/Signature.pm ++++ b/lib/Module/Signature.pm +@@ -18,6 +18,7 @@ + + use ExtUtils::Manifest (); + use Exporter; ++use File::Spec; + + @EXPORT_OK = ( + qw(sign verify), +@@ -514,18 +515,23 @@ + + sub _digest_object { + my($algorithm) = @_; ++ ++ # Avoid loading Digest::* from relative paths in @INC. ++ local @INC = grep { File::Spec->file_name_is_absolute($_) } @INC; ++ ++ # Constrain algorithm name to be of form ABC123. ++ my ($base, $variant) = ($algorithm =~ /^([_a-zA-Z]+)([0-9]+)$/g) ++ or die "Malformed algorithm name: $algorithm (should match /\\w+\\d+/)"; ++ + my $obj = eval { Digest->new($algorithm) } || eval { +- my ($base, $variant) = ($algorithm =~ /^(\w+?)(\d+)$/g) or die; + require "Digest/$base.pm"; "Digest::$base"->new($variant) + } || eval { + require "Digest/$algorithm.pm"; "Digest::$algorithm"->new + } || eval { +- my ($base, $variant) = ($algorithm =~ /^(\w+?)(\d+)$/g) or die; + require "Digest/$base/PurePerl.pm"; "Digest::$base\::PurePerl"->new($variant) + } || eval { + require "Digest/$algorithm/PurePerl.pm"; "Digest::$algorithm\::PurePerl"->new + } or do { eval { +- my ($base, $variant) = ($algorithm =~ /^(\w+?)(\d+)$/g) or die; + warn "Unknown cipher: $algorithm, please install Digest::$base, Digest::$base$variant, or Digest::$base\::PurePerl\n"; + } and return } or do { + warn "Unknown cipher: $algorithm, please install Digest::$algorithm\n"; return; diff -Nru libmodule-signature-perl-0.68/debian/patches/series libmodule-signature-perl-0.68/debian/patches/series --- libmodule-signature-perl-0.68/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libmodule-signature-perl-0.68/debian/patches/series 2013-06-19 17:56:25.000000000 +0200 @@ -0,0 +1 @@ +CVE-2013-2145.patch
