Bug#644149: marked as done (opu: package libdigest-perl/1.15-2+lenny1)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#644149: marked as done (opu: package libdigest-perl/1.15-2+lenny1)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 10 Mar 2012 12:29:19 +0000
Message-id: <handler.644149.D644149.133138226125833.ackdone@bugs.debian.org>
References: <1331382187.24969.16.camel@jacala.jungle.funky-badger.org> <20111003102956.5794.42581.reportbug@deep-thought.43-1.org>

Your message dated Sat, 10 Mar 2012 12:23:07 +0000
with message-id <1331382187.24969.16.camel@jacala.jungle.funky-badger.org>
and subject line Closing 5.0.10 bugs
has caused the Debian Bug report #644149,
regarding opu: package libdigest-perl/1.15-2+lenny1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
644149: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644149
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pu: package libdigest-perl/1.16-1+squeeze1
From: Ansgar Burchardt <ansgar@debian.org>
Date: Mon, 03 Oct 2011 12:29:56 +0200
Message-id: <20111003102956.5794.42581.reportbug@deep-thought.43-1.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

the last upstream release of libdigest-perl (1.17) contains a fix for an
unsafe use of eval[1]: the argument to Digest->new($algo) was not
checked properly allowing code injection (in case the value can be
changed by the attacker).  Versions in both lenny and squeeze are
affected.

The security team does not plan to release a DSA, the issue should be
fixed via proposed-updates instead.

I prepared updates for both lenny and squeeze (attached).

Regards,
Ansgar

[1] <https://github.com/gisle/digest/commit/33800e83550bcad19c4fc593874ec3497841fa1e>

diff -u libdigest-perl-1.15/debian/changelog libdigest-perl-1.15/debian/changelog
--- libdigest-perl-1.15/debian/changelog
+++ libdigest-perl-1.15/debian/changelog
@@ -1,3 +1,9 @@
+libdigest-perl (1.15-2+lenny1) UNRELEASED; urgency=low
+
+  * Fix unsafe use of eval in Digest->new().
+
+ -- Ansgar Burchardt <ansgar@debian.org>  Sun, 02 Oct 2011 23:35:15 +0200
+
 libdigest-perl (1.15-2) unstable; urgency=low
 
   * Fixed debian/watch, as it was too ambitious
only in patch2:
unchanged:
--- libdigest-perl-1.15.orig/Digest.pm
+++ libdigest-perl-1.15/Digest.pm
@@ -23,7 +23,7 @@
     shift;  # class ignored
     my $algorithm = shift;
     my $impl = $MMAP{$algorithm} || do {
-	$algorithm =~ s/\W+//;
+	$algorithm =~ s/\W+//g;
 	"Digest::$algorithm";
     };
     $impl = [$impl] unless ref($impl);
@@ -34,7 +34,9 @@
 	($class, @args) = @$class if ref($class);
 	no strict 'refs';
 	unless (exists ${"$class\::"}{"VERSION"}) {
-	    eval "require $class";
+	    my $pm_file = $class . ".pm";
+	    $pm_file =~ s{::}{/}g;
+	    eval { require $pm_file };
 	    if ($@) {
 		$err ||= $@;
 		next;
only in patch2:
unchanged:
--- libdigest-perl-1.15.orig/t/security.t
+++ libdigest-perl-1.15/t/security.t
@@ -0,0 +1,14 @@
+#!/usr/bin/env perl
+
+# Digest->new() had an exploitable eval
+
+use strict;
+use warnings;
+
+use Test::More tests => 1;
+
+use Digest;
+
+$LOL::PWNED = 0;
+eval { Digest->new(q[MD;5;$LOL::PWNED = 42]) };
+is $LOL::PWNED, 0;

diff -u libdigest-perl-1.16/debian/changelog libdigest-perl-1.16/debian/changelog
--- libdigest-perl-1.16/debian/changelog
+++ libdigest-perl-1.16/debian/changelog
@@ -1,3 +1,9 @@
+libdigest-perl (1.16-1+squeeze1) UNRELEASED; urgency=low
+
+  * Fix unsafe use of eval in Digest->new().
+
+ -- Ansgar Burchardt <ansgar@debian.org>  Sun, 02 Oct 2011 23:20:11 +0200
+
 libdigest-perl (1.16-1) unstable; urgency=low
 
   [ gregor herrmann ]
only in patch2:
unchanged:
--- libdigest-perl-1.16.orig/Digest.pm
+++ libdigest-perl-1.16/Digest.pm
@@ -24,7 +24,7 @@
     shift;  # class ignored
     my $algorithm = shift;
     my $impl = $MMAP{$algorithm} || do {
-	$algorithm =~ s/\W+//;
+	$algorithm =~ s/\W+//g;
 	"Digest::$algorithm";
     };
     $impl = [$impl] unless ref($impl);
@@ -35,7 +35,9 @@
 	($class, @args) = @$class if ref($class);
 	no strict 'refs';
 	unless (exists ${"$class\::"}{"VERSION"}) {
-	    eval "require $class";
+	    my $pm_file = $class . ".pm";
+	    $pm_file =~ s{::}{/}g;
+	    eval { require $pm_file };
 	    if ($@) {
 		$err ||= $@;
 		next;
only in patch2:
unchanged:
--- libdigest-perl-1.16.orig/t/security.t
+++ libdigest-perl-1.16/t/security.t
@@ -0,0 +1,14 @@
+#!/usr/bin/env perl
+
+# Digest->new() had an exploitable eval
+
+use strict;
+use warnings;
+
+use Test::More tests => 1;
+
+use Digest;
+
+$LOL::PWNED = 0;
+eval { Digest->new(q[MD;5;$LOL::PWNED = 42]) };
+is $LOL::PWNED, 0;

--- End Message ---

--- Begin Message ---

To: 639645-done@bugs.debian.org

Cc: 644149-done@bugs.debian.org, 656104-done@bugs.debian.org

Subject: Closing 5.0.10 bugs

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 10 Mar 2012 12:23:07 +0000

Message-id: <1331382187.24969.16.camel@jacala.jungle.funky-badger.org>
Version: 5.0.10

The packages corresponding to these bugs have now been included in the
5.0.10 point release.  I'm therefore closing the bugs.

Regards,

Adam
--- End Message ---

Reply to:

Prev by Date: Bug#639645: marked as done (opu: package xpdf/3.02-1.4+lenny4)
Next by Date: Bug#656104: marked as done (opu: package apr/1.2.12-5+lenny5)
Previous by thread: Bug#639645: marked as done (opu: package xpdf/3.02-1.4+lenny4)
Next by thread: Bug#656104: marked as done (opu: package apr/1.2.12-5+lenny5)
Index(es):
- Date
- Thread