Your message dated Sun, 09 Oct 2011 12:03:55 +0000
with message-id <e1rcs6l-0007vq...@franck.debian.org>
and subject line Bug#644108: fixed in perl 5.12.4-6
has caused the Debian Bug report #644108,
regarding unsafe use of eval in Digest->new()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
644108: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644108
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: perl
Version: 5.10.0-19
Severity: grave
Tags: security upstream
Hi,
the last upstream release of libdigest-perl (1.17) contains a fix for an
unsafe use of eval: the argument to Digest->new($algo) was not checked
properly allowing code injection (in case the value can be changed by
the attacker).
This also affects perl as the module is included in perl-base.
I have attached the update for libdigest-perl I prepared for squeeze
which only contains the relevant fix.
Regards,
Ansgar
diff -u libdigest-perl-1.16/debian/changelog libdigest-perl-1.16/debian/changelog
--- libdigest-perl-1.16/debian/changelog
+++ libdigest-perl-1.16/debian/changelog
@@ -1,3 +1,9 @@
+libdigest-perl (1.16-1+squeeze1) UNRELEASED; urgency=low
+
+ * Fix unsafe use of eval in Digest->new().
+
+ -- Ansgar Burchardt <ans...@debian.org> Sun, 02 Oct 2011 23:20:11 +0200
+
libdigest-perl (1.16-1) unstable; urgency=low
[ gregor herrmann ]
only in patch2:
unchanged:
--- libdigest-perl-1.16.orig/Digest.pm
+++ libdigest-perl-1.16/Digest.pm
@@ -24,7 +24,7 @@
shift; # class ignored
my $algorithm = shift;
my $impl = $MMAP{$algorithm} || do {
- $algorithm =~ s/\W+//;
+ $algorithm =~ s/\W+//g;
"Digest::$algorithm";
};
$impl = [$impl] unless ref($impl);
@@ -35,7 +35,9 @@
($class, @args) = @$class if ref($class);
no strict 'refs';
unless (exists ${"$class\::"}{"VERSION"}) {
- eval "require $class";
+ my $pm_file = $class . ".pm";
+ $pm_file =~ s{::}{/}g;
+ eval { require $pm_file };
if ($@) {
$err ||= $@;
next;
only in patch2:
unchanged:
--- libdigest-perl-1.16.orig/t/security.t
+++ libdigest-perl-1.16/t/security.t
@@ -0,0 +1,14 @@
+#!/usr/bin/env perl
+
+# Digest->new() had an exploitable eval
+
+use strict;
+use warnings;
+
+use Test::More tests => 1;
+
+use Digest;
+
+$LOL::PWNED = 0;
+eval { Digest->new(q[MD;5;$LOL::PWNED = 42]) };
+is $LOL::PWNED, 0;
--- End Message ---
--- Begin Message ---
Source: perl
Source-Version: 5.12.4-6
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:
libcgi-fast-perl_5.12.4-6_all.deb
to main/p/perl/libcgi-fast-perl_5.12.4-6_all.deb
libperl-dev_5.12.4-6_i386.deb
to main/p/perl/libperl-dev_5.12.4-6_i386.deb
libperl5.12_5.12.4-6_i386.deb
to main/p/perl/libperl5.12_5.12.4-6_i386.deb
perl-base_5.12.4-6_i386.deb
to main/p/perl/perl-base_5.12.4-6_i386.deb
perl-debug_5.12.4-6_i386.deb
to main/p/perl/perl-debug_5.12.4-6_i386.deb
perl-doc_5.12.4-6_all.deb
to main/p/perl/perl-doc_5.12.4-6_all.deb
perl-modules_5.12.4-6_all.deb
to main/p/perl/perl-modules_5.12.4-6_all.deb
perl_5.12.4-6.debian.tar.gz
to main/p/perl/perl_5.12.4-6.debian.tar.gz
perl_5.12.4-6.dsc
to main/p/perl/perl_5.12.4-6.dsc
perl_5.12.4-6_i386.deb
to main/p/perl/perl_5.12.4-6_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 644...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominic Hargreaves <d...@earth.li> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 07 Oct 2011 22:15:54 +0100
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug libperl5.12
libperl-dev perl
Architecture: source all i386
Version: 5.12.4-6
Distribution: unstable
Urgency: medium
Maintainer: Niko Tyni <nt...@debian.org>
Changed-By: Dominic Hargreaves <d...@earth.li>
Description:
libcgi-fast-perl - CGI::Fast Perl module
libperl-dev - Perl library: development files
libperl5.12 - shared Perl library
perl - Larry Wall's Practical Extraction and Report Language
perl-base - minimal Perl system
perl-debug - debug-enabled Perl interpreter
perl-doc - Perl documentation
perl-modules - Core Perl modules
Closes: 644108
Changes:
perl (5.12.4-6) unstable; urgency=medium
.
* [SECURITY] CVE-2011-3597: Fix unsafe use of eval in Digest->new();
thanks to Ansgar Burchardt for the notification (Closes: #644108)
Checksums-Sha1:
64035645fb5f74139cc78bf156413a0c11bc4f96 1680 perl_5.12.4-6.dsc
a13784fe9bfedc8c4f000ff044788b7073da2d0d 102821 perl_5.12.4-6.debian.tar.gz
012e75b879094063e949e40250d5bdd8fc7ad842 56606
libcgi-fast-perl_5.12.4-6_all.deb
377201f8a577d7113aa12cf8ca162a0f87db01d0 7519814 perl-doc_5.12.4-6_all.deb
309bdd8c70438dc9b639d8981bdf4fc6548806db 4786124 perl-modules_5.12.4-6_all.deb
236383dfdf6b7ed6e3542613b3d4f84ce3c5f597 1454470 perl-base_5.12.4-6_i386.deb
c3683274c04dd8da34f1bfb1ce25b7ba55c51762 7508190 perl-debug_5.12.4-6_i386.deb
aa8179f674478cb63dcff64db440b21cf23b2eb8 704086 libperl5.12_5.12.4-6_i386.deb
cdf6255a56905944d2db1459761131f32f6d94e3 2593990 libperl-dev_5.12.4-6_i386.deb
77bd0415fc8978df184c509d750fafe23aa58ad5 3565594 perl_5.12.4-6_i386.deb
Checksums-Sha256:
88aa8e5092db99ab23f9d7e85bb8a14f1844f8762bd1ebe2533b73ae04399ebe 1680
perl_5.12.4-6.dsc
3d55934bb87948500d5e480d3979b1e6712000e0f0399467723efd1ab263a64a 102821
perl_5.12.4-6.debian.tar.gz
9e923db894dfb8d860956926664d522d90a1c4e5cab5ea09d0d64079f340f523 56606
libcgi-fast-perl_5.12.4-6_all.deb
8f885fc957d9db552751608a30fe26c9e607c531df454bded2575f9626548b8e 7519814
perl-doc_5.12.4-6_all.deb
545422fe21eba19c7052bf5942fa242be4c4d0b528ba47f883fd299049fac8da 4786124
perl-modules_5.12.4-6_all.deb
8acd3e6891c91ac16e86b4085a7134af5ecc17ba50b71a35684873da4507ab39 1454470
perl-base_5.12.4-6_i386.deb
6bfe557c91c31d2d059891664758496311262d7150ba43e3de15c7e37ab461b1 7508190
perl-debug_5.12.4-6_i386.deb
e31f71ab1abe414c276e2f056cd3d1c0987c2c8e95294842ab9684bffd303d9a 704086
libperl5.12_5.12.4-6_i386.deb
fbfc419f77fbdb18aad55d997e9c3fc7c8b401ee5431a3555fe3a952bafa0f77 2593990
libperl-dev_5.12.4-6_i386.deb
bc1a17c65f90505dc5b331d75067c32968092064e6a1d1b65df9c00f63a9a474 3565594
perl_5.12.4-6_i386.deb
Files:
62bf0c96c2e2676c4b40c0f3b1b189dd 1680 perl standard perl_5.12.4-6.dsc
53092824dbfa8832e6ea95551bf59d8d 102821 perl standard
perl_5.12.4-6.debian.tar.gz
3bca58fabf0b171651dd0078c7f52d56 56606 perl optional
libcgi-fast-perl_5.12.4-6_all.deb
ea29b6d30450cfc6125f34e406ab891f 7519814 doc optional perl-doc_5.12.4-6_all.deb
c73e8241ba25ea0367bd652cdf5d95d2 4786124 perl standard
perl-modules_5.12.4-6_all.deb
70b6ad3dafe1ea77f28e53dfd637bd7b 1454470 perl required
perl-base_5.12.4-6_i386.deb
40fd13fad0567c2af706959632dc0033 7508190 debug extra
perl-debug_5.12.4-6_i386.deb
b59ce2bc1d7ecd580919d138c627a83a 704086 libs optional
libperl5.12_5.12.4-6_i386.deb
d47528fa1ecf24370df34053ec0b1ffb 2593990 libdevel optional
libperl-dev_5.12.4-6_i386.deb
03a083be62512dc387f6cb69d4553ace 3565594 perl standard perl_5.12.4-6_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFOkD3SYzuFKFF44qURAs0OAKCR6rp06n0+jQLHjFoXMiEMw03ZHgCg8tzy
NASJZvGAJ1xPkK24a6uLsQg=
=Rvbz
-----END PGP SIGNATURE-----
--- End Message ---
