[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 264-1] libmodule-signature-perl security update

Package        : libmodule-signature-perl
Version        : 0.63-1+squeeze2
CVE ID         : CVE-2015-3406 CVE-2015-3407 CVE-2015-3408 CVE-2015-3409
Debian Bug     : 783451

John Lightsey discovered multiple vulnerabilities in Module::Signature,
a Perl module to manipulate CPAN SIGNATURE files. The Common
Vulnerabilities and Exposures project identifies the following problems:


    Module::Signature could parse the unsigned portion of the SIGNATURE
    file as the signed portion due to incorrect handling of PGP signature


    Module::Signature incorrectly handled files that are not listed in
    the SIGNATURE file. This includes some files in the t/ directory
    that would execute when tests are run.


    Module::Signature used two argument open() calls to read the files
    when generating checksums from the signed manifest. This allowed to
    embed arbitrary shell commands into the SIGNATURE file that would be
    executed during the signature verification process.


    Module::Signature incorrectly handled module loading, allowing to
    load modules from relative paths in @INC. A remote attacker
    providing a malicious module could use this issue to execute
    arbitrary code during signature verification.

For the squeeze distribution, these issues have been fixed in version
0.63-1+squeeze2 of libmodule-signature-perl. Please note that the
libtest-signature-perl package was also updated for compatibility with
the CVE-2015-3407 fix.

We recommend that you upgrade your libmodule-signature-perl and
libtest-signature-perl packages.

Attachment: signature.asc
Description: Digital signature

Reply to: