Bug#721748: pu: package libmodule-metadata-perl/1.000009-1+deb7u1

[Salvatore Bonaccorso]

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: pu

Hi Stable Release managers

I would like to update libmodule-metadata-perl in Wheezy to fix a
serious documentation bug, CVE-2013-1437[1].

 [1] https://security-tracker.debian.org/tracker/CVE-2013-1437

Module::Metadata stated that:

This module provides a standard way to gather metadata about a .pm file
without executing unsafe code.

which is not true. This was fixed already by a new upstream version in
unstable. Proposed attached debdiffs tries to address both the changes
upstream of the DESCRIPTION in the manpage, and furthermore I updated
the description of the package to make this also clear there.

Can I upload this for a proposed-update for Wheezy?

Regards,
Salvatore

diff -Nru libmodule-metadata-perl-1.000009/debian/changelog libmodule-metadata-perl-1.000009/debian/changelog
--- libmodule-metadata-perl-1.000009/debian/changelog	2012-02-08 23:25:25.000000000 +0100
+++ libmodule-metadata-perl-1.000009/debian/changelog	2013-09-03 19:38:51.000000000 +0200
@@ -1,3 +1,18 @@
+libmodule-metadata-perl (1.000009-1+deb7u1) wheezy; urgency=low
+
+  * Add CVE-2013-1437-documentation-fix.patch patch.
+    Addresses CVE-2013-1437 as (serious) documentation bug: Module::Metadata
+    executes code when gathering metadata about a module by design. In
+    versions previous to 1.000015 the documentation stated, however, that
+    Module::Metadata provides a standard way to gather metadata about a .pm
+    file without executing unsafe code.
+  * Rewrite short and long description.
+    Rewrite short description matching the X is a Perl module [...] scheme.
+    Rewrite the long description based on the Module::Metadata POD,
+    containing also the note about how the information is gathered.
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Tue, 03 Sep 2013 19:33:20 +0200
+
 libmodule-metadata-perl (1.000009-1) unstable; urgency=low
 
   [ Ansgar Burchardt ]
diff -Nru libmodule-metadata-perl-1.000009/debian/control libmodule-metadata-perl-1.000009/debian/control
--- libmodule-metadata-perl-1.000009/debian/control	2012-02-08 23:25:25.000000000 +0100
+++ libmodule-metadata-perl-1.000009/debian/control	2013-09-03 19:38:51.000000000 +0200
@@ -17,8 +17,9 @@
 Depends: ${misc:Depends},
          ${perl:Depends},
          perl (>= 5.13.9) | libversion-perl (>= 1:0.8700)
-Description: package and POD information gatherer
- Module::Metadata provides routines to gather information about perl
- modules like name, version, list of packages, list of pod
- sections... All this information is extracted from perl module files.
-
+Description: Perl module to gather package and POD information from perl module files
+ Module::Metadata provides a standard way to gather metadata (like name,
+ version, list of packages, list of pod sections, ...) about a .pm file
+ through (mostly) static analysis and (some) code execution. When
+ determining the version of a module, the $VERSION assignment is evaled,
+ as is traditional in the CPAN toolchain.
diff -Nru libmodule-metadata-perl-1.000009/debian/patches/CVE-2013-1437-documentation-fix.patch libmodule-metadata-perl-1.000009/debian/patches/CVE-2013-1437-documentation-fix.patch
--- libmodule-metadata-perl-1.000009/debian/patches/CVE-2013-1437-documentation-fix.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmodule-metadata-perl-1.000009/debian/patches/CVE-2013-1437-documentation-fix.patch	2013-09-03 19:38:51.000000000 +0200
@@ -0,0 +1,28 @@
+Description: Fix serious documentation bug aboute statement of execution of unsafe code
+ Addresses CVE-2013-1437 as (serious) documentation bug:
+ Module::Metadata executes code when gathering metadata about a module
+ by design. In versions previous to (upstream) 1.000015 the
+ documentation stated, however, that Module::Metadata provides a
+ standard way to gather metadata about a .pm file without executing
+ unsafe code.
+Origin: upstream, http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=p5sagit/Module-Metadata.git;a=commitdiff;h=c0278e58ecbced5d852526c1c5d088c8df6ba618
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2013-09-03
+Applied-Upstream: 1.000015
+
+--- a/lib/Module/Metadata.pm
++++ b/lib/Module/Metadata.pm
+@@ -719,8 +719,10 @@
+ 
+ =head1 DESCRIPTION
+ 
+-This module provides a standard way to gather metadata about a .pm file
+-without executing unsafe code.
++This module provides a standard way to gather metadata about a .pm file through
++(mostly) static analysis and (some) code execution.  When determining the
++version of a module, the C<$VERSION> assignment is C<eval>ed, as is traditional
++in the CPAN toolchain.
+ 
+ =head1 USAGE
+ 
diff -Nru libmodule-metadata-perl-1.000009/debian/patches/series libmodule-metadata-perl-1.000009/debian/patches/series
--- libmodule-metadata-perl-1.000009/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libmodule-metadata-perl-1.000009/debian/patches/series	2013-09-03 19:38:51.000000000 +0200
@@ -0,0 +1 @@
+CVE-2013-1437-documentation-fix.patch