Bug#712798: opu: package libmodule-signature-perl/0.63-1+squeeze1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: opu
Hi Release Managers!
Here is the corresponding opu for libmodule-signature-perl fixing
CVE-2013-2145 (#711239). If an attacker can replace the Cipher in the
SIGNATURE file and also provide a ./Digest/SomeCipher, this would be
run with the privileges of the user running 'cpansign -verify'
Additional to stable (and unstable already fixed), I would like to
upload also libmodule-signature-perl for squeeze. Attached is the
proposed debdiff. Can this be uploaded?
Thanks for considering the opu and for your work!
Regards,
Salvatore
diff -Nru libmodule-signature-perl-0.63/debian/changelog libmodule-signature-perl-0.63/debian/changelog
--- libmodule-signature-perl-0.63/debian/changelog 2010-04-07 23:03:41.000000000 +0200
+++ libmodule-signature-perl-0.63/debian/changelog 2013-06-19 18:13:10.000000000 +0200
@@ -1,3 +1,12 @@
+libmodule-signature-perl (0.63-1+squeeze1) squeeze; urgency=low
+
+ * Team upload.
+ * Add CVE-2013-2145.patch.
+ CVE-2013-2145: Fixes arbitrary code execution when verifying SIGNATURE.
+ (Closes: #711239)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Tue, 18 Jun 2013 23:25:09 +0200
+
libmodule-signature-perl (0.63-1) unstable; urgency=low
[ Jonathan Yu ]
diff -Nru libmodule-signature-perl-0.63/debian/patches/CVE-2013-2145.patch libmodule-signature-perl-0.63/debian/patches/CVE-2013-2145.patch
--- libmodule-signature-perl-0.63/debian/patches/CVE-2013-2145.patch 1970-01-01 01:00:00.000000000 +0100
+++ libmodule-signature-perl-0.63/debian/patches/CVE-2013-2145.patch 2013-06-19 18:13:10.000000000 +0200
@@ -0,0 +1,46 @@
+Description: Fix CVE-2013-2145
+ Fix arbitrary code execution when verifying SIGNATURE
+Origin: backport, commit:575f7bd6ba4cc7c92f841e8758f88a131674ebf2, commit:cbd06b392a73c63159dc5c20ff5b3c8fc88c4896, commit:8ff56de7668ff60fbc1afe5b965a3c865662dd24
+Bug-Debian: http://bugs.debian.org/711239
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2013-06-18
+Applied-Upstream: 0.73
+
+--- a/lib/Module/Signature.pm
++++ b/lib/Module/Signature.pm
+@@ -18,6 +18,7 @@
+
+ use ExtUtils::Manifest ();
+ use Exporter;
++use File::Spec;
+
+ @EXPORT_OK = (
+ qw(sign verify),
+@@ -496,18 +497,23 @@
+ my $read = ExtUtils::Manifest::maniread() || {};
+ my $found = ExtUtils::Manifest::manifind($p);
+ my(%digest) = ();
++
++ # Avoid loading Digest::* from relative paths in @INC.
++ local @INC = grep { File::Spec->file_name_is_absolute($_) } @INC;
++
++ # Constrain algorithm name to be of form ABC123.
++ my ($base, $variant) = ($algorithm =~ /^([_a-zA-Z]+)([0-9]+)$/g)
++ or die "Malformed algorithm name: $algorithm (should match /\\w+\\d+/)";
++
+ my $obj = eval { Digest->new($algorithm) } || eval {
+- my ($base, $variant) = ($algorithm =~ /^(\w+?)(\d+)$/g) or die;
+ require "Digest/$base.pm"; "Digest::$base"->new($variant)
+ } || eval {
+ require "Digest/$algorithm.pm"; "Digest::$algorithm"->new
+ } || eval {
+- my ($base, $variant) = ($algorithm =~ /^(\w+?)(\d+)$/g) or die;
+ require "Digest/$base/PurePerl.pm"; "Digest::$base\::PurePerl"->new($variant)
+ } || eval {
+ require "Digest/$algorithm/PurePerl.pm"; "Digest::$algorithm\::PurePerl"->new
+ } or do { eval {
+- my ($base, $variant) = ($algorithm =~ /^(\w+?)(\d+)$/g) or die;
+ warn "Unknown cipher: $algorithm, please install Digest::$base, Digest::$base$variant, or Digest::$base\::PurePerl\n";
+ } and return } or do {
+ warn "Unknown cipher: $algorithm, please install Digest::$algorithm\n"; return;
diff -Nru libmodule-signature-perl-0.63/debian/patches/series libmodule-signature-perl-0.63/debian/patches/series
--- libmodule-signature-perl-0.63/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libmodule-signature-perl-0.63/debian/patches/series 2013-06-19 18:13:10.000000000 +0200
@@ -0,0 +1 @@
+CVE-2013-2145.patch
Reply to: