Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: opu
Hi Release Managers! Here is the corresponding opu for libmodule-signature-perl fixing CVE-2013-2145 (#711239). If an attacker can replace the Cipher in the SIGNATURE file and also provide a ./Digest/SomeCipher, this would be run with the privileges of the user running 'cpansign -verify' Additional to stable (and unstable already fixed), I would like to upload also libmodule-signature-perl for squeeze. Attached is the proposed debdiff. Can this be uploaded? Thanks for considering the opu and for your work! Regards, Salvatore
diff -Nru libmodule-signature-perl-0.63/debian/changelog libmodule-signature-perl-0.63/debian/changelog --- libmodule-signature-perl-0.63/debian/changelog 2010-04-07 23:03:41.000000000 +0200 +++ libmodule-signature-perl-0.63/debian/changelog 2013-06-19 18:13:10.000000000 +0200 @@ -1,3 +1,12 @@ +libmodule-signature-perl (0.63-1+squeeze1) squeeze; urgency=low + + * Team upload. + * Add CVE-2013-2145.patch. + CVE-2013-2145: Fixes arbitrary code execution when verifying SIGNATURE. + (Closes: #711239) + + -- Salvatore Bonaccorso <car...@debian.org> Tue, 18 Jun 2013 23:25:09 +0200 + libmodule-signature-perl (0.63-1) unstable; urgency=low [ Jonathan Yu ] diff -Nru libmodule-signature-perl-0.63/debian/patches/CVE-2013-2145.patch libmodule-signature-perl-0.63/debian/patches/CVE-2013-2145.patch --- libmodule-signature-perl-0.63/debian/patches/CVE-2013-2145.patch 1970-01-01 01:00:00.000000000 +0100 +++ libmodule-signature-perl-0.63/debian/patches/CVE-2013-2145.patch 2013-06-19 18:13:10.000000000 +0200 @@ -0,0 +1,46 @@ +Description: Fix CVE-2013-2145 + Fix arbitrary code execution when verifying SIGNATURE +Origin: backport, commit:575f7bd6ba4cc7c92f841e8758f88a131674ebf2, commit:cbd06b392a73c63159dc5c20ff5b3c8fc88c4896, commit:8ff56de7668ff60fbc1afe5b965a3c865662dd24 +Bug-Debian: http://bugs.debian.org/711239 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2013-06-18 +Applied-Upstream: 0.73 + +--- a/lib/Module/Signature.pm ++++ b/lib/Module/Signature.pm +@@ -18,6 +18,7 @@ + + use ExtUtils::Manifest (); + use Exporter; ++use File::Spec; + + @EXPORT_OK = ( + qw(sign verify), +@@ -496,18 +497,23 @@ + my $read = ExtUtils::Manifest::maniread() || {}; + my $found = ExtUtils::Manifest::manifind($p); + my(%digest) = (); ++ ++ # Avoid loading Digest::* from relative paths in @INC. ++ local @INC = grep { File::Spec->file_name_is_absolute($_) } @INC; ++ ++ # Constrain algorithm name to be of form ABC123. ++ my ($base, $variant) = ($algorithm =~ /^([_a-zA-Z]+)([0-9]+)$/g) ++ or die "Malformed algorithm name: $algorithm (should match /\\w+\\d+/)"; ++ + my $obj = eval { Digest->new($algorithm) } || eval { +- my ($base, $variant) = ($algorithm =~ /^(\w+?)(\d+)$/g) or die; + require "Digest/$base.pm"; "Digest::$base"->new($variant) + } || eval { + require "Digest/$algorithm.pm"; "Digest::$algorithm"->new + } || eval { +- my ($base, $variant) = ($algorithm =~ /^(\w+?)(\d+)$/g) or die; + require "Digest/$base/PurePerl.pm"; "Digest::$base\::PurePerl"->new($variant) + } || eval { + require "Digest/$algorithm/PurePerl.pm"; "Digest::$algorithm\::PurePerl"->new + } or do { eval { +- my ($base, $variant) = ($algorithm =~ /^(\w+?)(\d+)$/g) or die; + warn "Unknown cipher: $algorithm, please install Digest::$base, Digest::$base$variant, or Digest::$base\::PurePerl\n"; + } and return } or do { + warn "Unknown cipher: $algorithm, please install Digest::$algorithm\n"; return; diff -Nru libmodule-signature-perl-0.63/debian/patches/series libmodule-signature-perl-0.63/debian/patches/series --- libmodule-signature-perl-0.63/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libmodule-signature-perl-0.63/debian/patches/series 2013-06-19 18:13:10.000000000 +0200 @@ -0,0 +1 @@ +CVE-2013-2145.patch
