Bug#721748: pu: package libmodule-metadata-perl/1.000009-1+deb7u1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Hi Stable Release managers
I would like to update libmodule-metadata-perl in Wheezy to fix a
serious documentation bug, CVE-2013-1437[1].
[1] https://security-tracker.debian.org/tracker/CVE-2013-1437
Module::Metadata stated that:
This module provides a standard way to gather metadata about a .pm file
without executing unsafe code.
which is not true. This was fixed already by a new upstream version in
unstable. Proposed attached debdiffs tries to address both the changes
upstream of the DESCRIPTION in the manpage, and furthermore I updated
the description of the package to make this also clear there.
Can I upload this for a proposed-update for Wheezy?
Regards,
Salvatore
diff -Nru libmodule-metadata-perl-1.000009/debian/changelog libmodule-metadata-perl-1.000009/debian/changelog
--- libmodule-metadata-perl-1.000009/debian/changelog 2012-02-08 23:25:25.000000000 +0100
+++ libmodule-metadata-perl-1.000009/debian/changelog 2013-09-03 19:38:51.000000000 +0200
@@ -1,3 +1,18 @@
+libmodule-metadata-perl (1.000009-1+deb7u1) wheezy; urgency=low
+
+ * Add CVE-2013-1437-documentation-fix.patch patch.
+ Addresses CVE-2013-1437 as (serious) documentation bug: Module::Metadata
+ executes code when gathering metadata about a module by design. In
+ versions previous to 1.000015 the documentation stated, however, that
+ Module::Metadata provides a standard way to gather metadata about a .pm
+ file without executing unsafe code.
+ * Rewrite short and long description.
+ Rewrite short description matching the X is a Perl module [...] scheme.
+ Rewrite the long description based on the Module::Metadata POD,
+ containing also the note about how the information is gathered.
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Tue, 03 Sep 2013 19:33:20 +0200
+
libmodule-metadata-perl (1.000009-1) unstable; urgency=low
[ Ansgar Burchardt ]
diff -Nru libmodule-metadata-perl-1.000009/debian/control libmodule-metadata-perl-1.000009/debian/control
--- libmodule-metadata-perl-1.000009/debian/control 2012-02-08 23:25:25.000000000 +0100
+++ libmodule-metadata-perl-1.000009/debian/control 2013-09-03 19:38:51.000000000 +0200
@@ -17,8 +17,9 @@
Depends: ${misc:Depends},
${perl:Depends},
perl (>= 5.13.9) | libversion-perl (>= 1:0.8700)
-Description: package and POD information gatherer
- Module::Metadata provides routines to gather information about perl
- modules like name, version, list of packages, list of pod
- sections... All this information is extracted from perl module files.
-
+Description: Perl module to gather package and POD information from perl module files
+ Module::Metadata provides a standard way to gather metadata (like name,
+ version, list of packages, list of pod sections, ...) about a .pm file
+ through (mostly) static analysis and (some) code execution. When
+ determining the version of a module, the $VERSION assignment is evaled,
+ as is traditional in the CPAN toolchain.
diff -Nru libmodule-metadata-perl-1.000009/debian/patches/CVE-2013-1437-documentation-fix.patch libmodule-metadata-perl-1.000009/debian/patches/CVE-2013-1437-documentation-fix.patch
--- libmodule-metadata-perl-1.000009/debian/patches/CVE-2013-1437-documentation-fix.patch 1970-01-01 01:00:00.000000000 +0100
+++ libmodule-metadata-perl-1.000009/debian/patches/CVE-2013-1437-documentation-fix.patch 2013-09-03 19:38:51.000000000 +0200
@@ -0,0 +1,28 @@
+Description: Fix serious documentation bug aboute statement of execution of unsafe code
+ Addresses CVE-2013-1437 as (serious) documentation bug:
+ Module::Metadata executes code when gathering metadata about a module
+ by design. In versions previous to (upstream) 1.000015 the
+ documentation stated, however, that Module::Metadata provides a
+ standard way to gather metadata about a .pm file without executing
+ unsafe code.
+Origin: upstream, http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=p5sagit/Module-Metadata.git;a=commitdiff;h=c0278e58ecbced5d852526c1c5d088c8df6ba618
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2013-09-03
+Applied-Upstream: 1.000015
+
+--- a/lib/Module/Metadata.pm
++++ b/lib/Module/Metadata.pm
+@@ -719,8 +719,10 @@
+
+ =head1 DESCRIPTION
+
+-This module provides a standard way to gather metadata about a .pm file
+-without executing unsafe code.
++This module provides a standard way to gather metadata about a .pm file through
++(mostly) static analysis and (some) code execution. When determining the
++version of a module, the C<$VERSION> assignment is C<eval>ed, as is traditional
++in the CPAN toolchain.
+
+ =head1 USAGE
+
diff -Nru libmodule-metadata-perl-1.000009/debian/patches/series libmodule-metadata-perl-1.000009/debian/patches/series
--- libmodule-metadata-perl-1.000009/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libmodule-metadata-perl-1.000009/debian/patches/series 2013-09-03 19:38:51.000000000 +0200
@@ -0,0 +1 @@
+CVE-2013-1437-documentation-fix.patch
Reply to: