Your message dated Sat, 12 Nov 2011 19:33:57 +0000
with message-id <e1rpjkv-00013k...@franck.debian.org>
and subject line Bug#644108: fixed in perl 5.14.2-2
has caused the Debian Bug report #644108,
regarding unsafe use of eval in Digest->new()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
644108: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644108
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: perl
Version: 5.10.0-19
Severity: grave
Tags: security upstream
Hi,
the last upstream release of libdigest-perl (1.17) contains a fix for an
unsafe use of eval: the argument to Digest->new($algo) was not checked
properly allowing code injection (in case the value can be changed by
the attacker).
This also affects perl as the module is included in perl-base.
I have attached the update for libdigest-perl I prepared for squeeze
which only contains the relevant fix.
Regards,
Ansgar
diff -u libdigest-perl-1.16/debian/changelog libdigest-perl-1.16/debian/changelog
--- libdigest-perl-1.16/debian/changelog
+++ libdigest-perl-1.16/debian/changelog
@@ -1,3 +1,9 @@
+libdigest-perl (1.16-1+squeeze1) UNRELEASED; urgency=low
+
+ * Fix unsafe use of eval in Digest->new().
+
+ -- Ansgar Burchardt <ans...@debian.org> Sun, 02 Oct 2011 23:20:11 +0200
+
libdigest-perl (1.16-1) unstable; urgency=low
[ gregor herrmann ]
only in patch2:
unchanged:
--- libdigest-perl-1.16.orig/Digest.pm
+++ libdigest-perl-1.16/Digest.pm
@@ -24,7 +24,7 @@
shift; # class ignored
my $algorithm = shift;
my $impl = $MMAP{$algorithm} || do {
- $algorithm =~ s/\W+//;
+ $algorithm =~ s/\W+//g;
"Digest::$algorithm";
};
$impl = [$impl] unless ref($impl);
@@ -35,7 +35,9 @@
($class, @args) = @$class if ref($class);
no strict 'refs';
unless (exists ${"$class\::"}{"VERSION"}) {
- eval "require $class";
+ my $pm_file = $class . ".pm";
+ $pm_file =~ s{::}{/}g;
+ eval { require $pm_file };
if ($@) {
$err ||= $@;
next;
only in patch2:
unchanged:
--- libdigest-perl-1.16.orig/t/security.t
+++ libdigest-perl-1.16/t/security.t
@@ -0,0 +1,14 @@
+#!/usr/bin/env perl
+
+# Digest->new() had an exploitable eval
+
+use strict;
+use warnings;
+
+use Test::More tests => 1;
+
+use Digest;
+
+$LOL::PWNED = 0;
+eval { Digest->new(q[MD;5;$LOL::PWNED = 42]) };
+is $LOL::PWNED, 0;
--- End Message ---
--- Begin Message ---
Source: perl
Source-Version: 5.14.2-2
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:
libcgi-fast-perl_5.14.2-2_all.deb
to main/p/perl/libcgi-fast-perl_5.14.2-2_all.deb
libperl-dev_5.14.2-2_i386.deb
to main/p/perl/libperl-dev_5.14.2-2_i386.deb
libperl5.14_5.14.2-2_i386.deb
to main/p/perl/libperl5.14_5.14.2-2_i386.deb
perl-base_5.14.2-2_i386.deb
to main/p/perl/perl-base_5.14.2-2_i386.deb
perl-debug_5.14.2-2_i386.deb
to main/p/perl/perl-debug_5.14.2-2_i386.deb
perl-doc_5.14.2-2_all.deb
to main/p/perl/perl-doc_5.14.2-2_all.deb
perl-modules_5.14.2-2_all.deb
to main/p/perl/perl-modules_5.14.2-2_all.deb
perl_5.14.2-2.debian.tar.gz
to main/p/perl/perl_5.14.2-2.debian.tar.gz
perl_5.14.2-2.dsc
to main/p/perl/perl_5.14.2-2.dsc
perl_5.14.2-2_i386.deb
to main/p/perl/perl_5.14.2-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 644...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominic Hargreaves <d...@earth.li> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 12 Nov 2011 17:25:33 +0000
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug libperl5.14
libperl-dev perl
Architecture: source all i386
Version: 5.14.2-2
Distribution: experimental
Urgency: low
Maintainer: Niko Tyni <nt...@debian.org>
Changed-By: Dominic Hargreaves <d...@earth.li>
Description:
libcgi-fast-perl - CGI::Fast Perl module
libperl-dev - Perl library: development files
libperl5.14 - shared Perl library
perl - Larry Wall's Practical Extraction and Report Language
perl-base - minimal Perl system
perl-debug - debug-enabled Perl interpreter
perl-doc - Perl documentation
perl-modules - Core Perl modules
Closes: 644108 645790 645989 646016
Changes:
perl (5.14.2-2) experimental; urgency=low
.
* [SECURITY] CVE-2011-3597: Fix unsafe use of eval in Digest->new();
thanks to Ansgar Burchardt for the notification (Closes: #644108)
* Merge 5.12.4-6 from unstable
* Fix NDBM_File hints on GNU/Hurd
(thanks, Pino Toscano) (Closes: #645989)
* Fix hang in t/ext/POSIX/t/sysconf.t on GNU/Hurd
(thanks, Pino Toscano) (Closes: #646016)
* Enable LFS on GNU/Hurd
(thanks, Pino Toscano) (Closes: #645790)
Checksums-Sha1:
df2c57a8a546e9adf9ef7128afc05bcd547fc7ef 1680 perl_5.14.2-2.dsc
dd382372ff2d7ecc2370115860619a4d61146f23 122789 perl_5.14.2-2.debian.tar.gz
0f0b0a3dff20a7042d2fd426dc2662ef1cb4948c 71902
libcgi-fast-perl_5.14.2-2_all.deb
d15a4d3c37c091c54eb7763cd3dcacd259c5567b 8159792 perl-doc_5.14.2-2_all.deb
38400bdcca6947b881bbfd19d0680d64ab1acbe6 3437878 perl-modules_5.14.2-2_all.deb
f2cf32d20cbedacd559875351ecf69ddb446f1c8 1481686 perl-base_5.14.2-2_i386.deb
b1ee375dd17e451f6481dd49e69383fee106f712 7757652 perl-debug_5.14.2-2_i386.deb
728357d3a2e8cb1bd81d7c101994611b1f940894 724410 libperl5.14_5.14.2-2_i386.deb
05fc561d8b5f746cbb1b5718e0c41a891036e289 2679298 libperl-dev_5.14.2-2_i386.deb
afde2cd00f7b8d745e50e8fd5b73be8cf9794489 3697142 perl_5.14.2-2_i386.deb
Checksums-Sha256:
2fe4a452916a13e31e890498f861f16dc2cb985c270b8acb241c71dc95a59235 1680
perl_5.14.2-2.dsc
54df71a18cdbe4f596948c215fce9d0931f3598411c9a4b235c8cc0f249288dc 122789
perl_5.14.2-2.debian.tar.gz
402972d5e953b4dab60eead6f2db893d39ccb9e2fbda9bf1b955c7ee52aa1259 71902
libcgi-fast-perl_5.14.2-2_all.deb
903edcd2de7ee6f11c2cf044a9e8e5827a5a195caed37d2601f69aca30134c60 8159792
perl-doc_5.14.2-2_all.deb
56aa2b44c93c5bdd5c162cc2cc21b621083819fa849d829e5aebea85353f0e15 3437878
perl-modules_5.14.2-2_all.deb
a09fbc8659d69e22b2bf79f8c4bfbee105b4e8954e1b762289ea95e1d971d417 1481686
perl-base_5.14.2-2_i386.deb
0b15a9136fdfbf74fad53b8d2334549f3f5af5afa1babd95836cef2bc5026d2f 7757652
perl-debug_5.14.2-2_i386.deb
517f31887e9726b56adf79a702df1fbe7e658043d1838d796ab6320c1841d674 724410
libperl5.14_5.14.2-2_i386.deb
3f534bc314ef3e6b8f183e436bd99c001503a590a849078c8106c3fc48c1fc7c 2679298
libperl-dev_5.14.2-2_i386.deb
fc476ebadedb8c403e83aa5225859755c52e9565e835ef477e220bb982ac0aa3 3697142
perl_5.14.2-2_i386.deb
Files:
2bc44b5f498292bbc46bbd91cc7a7e5e 1680 perl standard perl_5.14.2-2.dsc
811c4827f0b7fbc062df6f83deb0fb1a 122789 perl standard
perl_5.14.2-2.debian.tar.gz
aa34142558e90ba36525c084c71f6a4a 71902 perl optional
libcgi-fast-perl_5.14.2-2_all.deb
ab539b6382e90c3ac0efdfb89ab23e15 8159792 doc optional perl-doc_5.14.2-2_all.deb
aaf6edceeb7e33b0454b9cae9aafa922 3437878 perl standard
perl-modules_5.14.2-2_all.deb
155c17093b59e684b35931c6145c182d 1481686 perl required
perl-base_5.14.2-2_i386.deb
ebf9179d7cb818e6f58b0397c8455820 7757652 debug extra
perl-debug_5.14.2-2_i386.deb
acf28554b68d2184cf0c0c7db880d659 724410 libs optional
libperl5.14_5.14.2-2_i386.deb
c66a3f8cfca5e2d0a5e44e9b3dc64fc7 2679298 libdevel optional
libperl-dev_5.14.2-2_i386.deb
eee5d83199872987abc1250e808f27cb 3697142 perl standard perl_5.14.2-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFOvsZCYzuFKFF44qURAjeFAKDYuZEGLOtdLXAYEsIp6txpmUybEgCg+Lfc
8DKci9WMQv7VT3tk11OWZ2A=
=Y/6Y
-----END PGP SIGNATURE-----
--- End Message ---
