Bug#712597: pu: package libmodule-signature-perl/0.68-1+deb7u1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Hi Stable Release Managers
libmodule-signature-perl/0.73-1 fixed CVE-2013-2145 see #711239 for
the corresponding Debian bugreport. Would it be possible to have
libmodule-signature-perl also updated for stable trough a spu?
Attached is the proposed debdiff. I can remove the debian/gbp.conf
part (which I have added for handling in the pkg-perl git repos, but
can be ommited).
Regards,
Salvatore
diff -Nru libmodule-signature-perl-0.68/debian/changelog libmodule-signature-perl-0.68/debian/changelog
--- libmodule-signature-perl-0.68/debian/changelog 2011-05-14 14:57:44.000000000 +0200
+++ libmodule-signature-perl-0.68/debian/changelog 2013-06-17 20:13:51.000000000 +0200
@@ -1,3 +1,12 @@
+libmodule-signature-perl (0.68-1+deb7u1) wheezy; urgency=low
+
+ * Team upload.
+ * Add CVE-2013-2145.patch.
+ CVE-2013-2145: Fixes arbitrary code execution when verifying SIGNATURE.
+ (Closes: #711239)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sun, 16 Jun 2013 22:51:28 +0200
+
libmodule-signature-perl (0.68-1) unstable; urgency=low
[ Jotam Jr. Trejo ]
diff -Nru libmodule-signature-perl-0.68/debian/gbp.conf libmodule-signature-perl-0.68/debian/gbp.conf
--- libmodule-signature-perl-0.68/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100
+++ libmodule-signature-perl-0.68/debian/gbp.conf 2013-06-17 20:13:51.000000000 +0200
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = wheezy
diff -Nru libmodule-signature-perl-0.68/debian/patches/CVE-2013-2145.patch libmodule-signature-perl-0.68/debian/patches/CVE-2013-2145.patch
--- libmodule-signature-perl-0.68/debian/patches/CVE-2013-2145.patch 1970-01-01 01:00:00.000000000 +0100
+++ libmodule-signature-perl-0.68/debian/patches/CVE-2013-2145.patch 2013-06-17 20:13:51.000000000 +0200
@@ -0,0 +1,46 @@
+Description: Fix CVE-2013-2145
+ Fix arbitrary code execution when verifying SIGNATURE
+Origin: upstream, commit:575f7bd6ba4cc7c92f841e8758f88a131674ebf2, commit:cbd06b392a73c63159dc5c20ff5b3c8fc88c4896, commit:8ff56de7668ff60fbc1afe5b965a3c865662dd24
+Bug-Debian: http://bugs.debian.org/711239
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2013-06-16
+Applied-Upstream: 0.73
+
+--- a/lib/Module/Signature.pm
++++ b/lib/Module/Signature.pm
+@@ -18,6 +18,7 @@
+
+ use ExtUtils::Manifest ();
+ use Exporter;
++use File::Spec;
+
+ @EXPORT_OK = (
+ qw(sign verify),
+@@ -514,18 +515,23 @@
+
+ sub _digest_object {
+ my($algorithm) = @_;
++
++ # Avoid loading Digest::* from relative paths in @INC.
++ local @INC = grep { File::Spec->file_name_is_absolute($_) } @INC;
++
++ # Constrain algorithm name to be of form ABC123.
++ my ($base, $variant) = ($algorithm =~ /^([_a-zA-Z]+)([0-9]+)$/g)
++ or die "Malformed algorithm name: $algorithm (should match /\\w+\\d+/)";
++
+ my $obj = eval { Digest->new($algorithm) } || eval {
+- my ($base, $variant) = ($algorithm =~ /^(\w+?)(\d+)$/g) or die;
+ require "Digest/$base.pm"; "Digest::$base"->new($variant)
+ } || eval {
+ require "Digest/$algorithm.pm"; "Digest::$algorithm"->new
+ } || eval {
+- my ($base, $variant) = ($algorithm =~ /^(\w+?)(\d+)$/g) or die;
+ require "Digest/$base/PurePerl.pm"; "Digest::$base\::PurePerl"->new($variant)
+ } || eval {
+ require "Digest/$algorithm/PurePerl.pm"; "Digest::$algorithm\::PurePerl"->new
+ } or do { eval {
+- my ($base, $variant) = ($algorithm =~ /^(\w+?)(\d+)$/g) or die;
+ warn "Unknown cipher: $algorithm, please install Digest::$base, Digest::$base$variant, or Digest::$base\::PurePerl\n";
+ } and return } or do {
+ warn "Unknown cipher: $algorithm, please install Digest::$algorithm\n"; return;
diff -Nru libmodule-signature-perl-0.68/debian/patches/series libmodule-signature-perl-0.68/debian/patches/series
--- libmodule-signature-perl-0.68/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libmodule-signature-perl-0.68/debian/patches/series 2013-06-17 20:13:51.000000000 +0200
@@ -0,0 +1 @@
+CVE-2013-2145.patch
Reply to: