Debian Bug report logs -
#783451
libmodule-signature-perl: CVE-2015-3406 CVE-2015-3407 CVE-2015-3408 CVE-2015-3409
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 27 Apr 2015 07:24:12 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in versions libmodule-signature-perl/0.63-1, libmodule-signature-perl/0.73-1
Fixed in versions libmodule-signature-perl/0.78-1, libmodule-signature-perl/0.73-1+deb8u1, libmodule-signature-perl/0.68-1+deb7u2
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#783451; Package src:libmodule-signature-perl.
(Mon, 27 Apr 2015 07:24:17 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Mon, 27 Apr 2015 07:24:17 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libmodule-signature-perl
Version: 0.73-1
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerabilities were published for libmodule-signature-perl.
CVE-2015-3406[0]:
unsigned files interpreted as signed in some circumstances
CVE-2015-3407[1]:
arbitrary code execution during test phase
CVE-2015-3408[2]:
arbitrary code execution when verifying module signatures
CVE-2015-3409[3]:
arbitrary modules loading in some circumstances
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-3406
[1] https://security-tracker.debian.org/tracker/CVE-2015-3407
[2] https://security-tracker.debian.org/tracker/CVE-2015-3408
[3] https://security-tracker.debian.org/tracker/CVE-2015-3409
Please adjust the affected versions in the BTS as needed.
p.s.: for the pkg-perl team: I planned to look into it for all needed
versions, but if somebody beats me to it, just go ahead!
Regards,
Salvatore
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Wed, 29 Apr 2015 18:36:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 29 Apr 2015 18:36:09 GMT) (full text, mbox, link).
Message #10 received at 783451-close@bugs.debian.org (full text, mbox, reply):
Source: libmodule-signature-perl
Source-Version: 0.78-1
We believe that the bug you reported is fixed in the latest version of
libmodule-signature-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 783451@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libmodule-signature-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 29 Apr 2015 20:08:00 +0200
Source: libmodule-signature-perl
Binary: libmodule-signature-perl
Architecture: source all
Version: 0.78-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libmodule-signature-perl - module to manipulate CPAN SIGNATURE files
Closes: 783451
Changes:
libmodule-signature-perl (0.78-1) unstable; urgency=medium
.
* Team upload.
.
[ gregor herrmann ]
* Strip trailing slash from metacpan URLs.
.
[ Salvatore Bonaccorso ]
* Update Vcs-Browser URL to cgit web frontend
* Add debian/upstream/metadata
* Import upstream version 0.78
- CVE-2015-3406: unsigned files interpreted as signed in some
circumstances.
- CVE-2015-3407: arbitrary code execution during test phase
- CVE-2015-3408: arbitrary code execution when verifying module
signatures
- CVE-2015-3409: arbitrary modules loading in some circumstances
(Closes: #783451)
* Declare compliance with Debian policy 3.9.6
* Add pod2man-errors.patch patch.
Missing =encoding results in pod2man complaining about UTF-8 characters.
* Add 'Testsuite: autopkgtest-pkg-perl' header in control file
Checksums-Sha1:
23d54451f33e929e575255af4991502dbbbc8a5c 2266 libmodule-signature-perl_0.78-1.dsc
1d116253a194cd9882b29c35f7df9a9451ed1609 94161 libmodule-signature-perl_0.78.orig.tar.gz
6de57672683d67ae25d54e0f9e8834360bfe014b 7000 libmodule-signature-perl_0.78-1.debian.tar.xz
ee7cee4483a204762d7f9dec5904628891ff6431 30566 libmodule-signature-perl_0.78-1_all.deb
Checksums-Sha256:
80dbe8863d0ba9f47095a8b5836fa59eb2d08da020881746476fc5a4232490fb 2266 libmodule-signature-perl_0.78-1.dsc
6d6cf97a6c84cd5531fccd88d08ecab619392d0d52a924d9240b86940331af29 94161 libmodule-signature-perl_0.78.orig.tar.gz
f4f2d6a1603c9ab5b134b4b5fc8324435c12a5556fb455f8974dd1fe72d401b4 7000 libmodule-signature-perl_0.78-1.debian.tar.xz
ced7137940a8fc716669623d83bbe9502aa77cd3c330b853fb3e9409d0ba3e2e 30566 libmodule-signature-perl_0.78-1_all.deb
Files:
3b18e035fdb445cc561b235720b15d5e 2266 perl optional libmodule-signature-perl_0.78-1.dsc
7e4490835974882ef7ba15a45afa5839 94161 perl optional libmodule-signature-perl_0.78.orig.tar.gz
6aac2e27d0b6620aa279fc0f8928019e 7000 perl optional libmodule-signature-perl_0.78-1.debian.tar.xz
9a8d91e630b788bc745345043e60230e 30566 perl optional libmodule-signature-perl_0.78-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVQSBjAAoJEAVMuPMTQ89Eis4P/0DUMMR9IUiExBkmQubyNW3i
7LMPYNRjNIpI9d5T9XI/EPCYw6Hc+v8N9lfDl5sJh4IWJ6klc/ahKFxIwRXb0Jks
lWUVbhKeGfm0tXI5kDQwtEy3U58hMdFBIWOzCQ26TEIpDrFH+Y5QiRCljafEb/Pg
DvveImcKyn0XO5BOUvDzvQtAdX4Zc62l0jqhJSTZUCLZhhv8WRPwDqQowJH8qmGp
2qVfjwOTHi9dZXh8UQYg+3Dgqld74WkS/0+M6fndDrRFkqzxtiiMvd1X5/JCvF7i
x1n/tA0YIatBsOj/fmt5lCBOfvlWwwWsZ38YgkU89bkHwDeYfBEbyG7ZhrKIROdZ
DLNLjYqiUKy2MQQu2uP3rP55zC5wvXFy1EfKwEzx53GJaqi/JzDy7FUebldkjCDM
cxeyAMkPDI1CcTRs/vaLIG4wYUceJpxlBWwryxOf1KYsOMUQ3Dk6VIWln+pcnZ1H
t6wrPFs3Sa3sHEBuZvO72uH0w72sbsMYfFh7L0FfmMETKWj/SpQEGCxTSGG6mxn0
+gXscXkyZr6J7Lo6a6NHwQtYwNo1SHhT32gE32TCdtndls9bF8bdqgDfSuXYcYQ5
MB2chNODEThGM6vaAgplktz3UWM2zdpXyxXrAng3ERA4viu75cNGcPD+YH6xeoI6
AM6R8GPxUxbpHDL3lTML
=ISvT
-----END PGP SIGNATURE-----
Marked as found in versions libmodule-signature-perl/0.63-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 15 May 2015 17:54:08 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 16 May 2015 18:21:14 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 16 May 2015 18:21:14 GMT) (full text, mbox, link).
Message #17 received at 783451-close@bugs.debian.org (full text, mbox, reply):
Source: libmodule-signature-perl
Source-Version: 0.73-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
libmodule-signature-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 783451@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libmodule-signature-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 14 May 2015 12:58:30 +0200
Source: libmodule-signature-perl
Binary: libmodule-signature-perl
Architecture: source all
Version: 0.73-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libmodule-signature-perl - module to manipulate CPAN SIGNATURE files
Closes: 783451
Changes:
libmodule-signature-perl (0.73-1+deb8u1) jessie-security; urgency=high
.
* Team upload.
* Add CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch patch.
CVE-2015-3406: Module::Signature parses the unsigned portion of the
SIGNATURE file as the signed portion due to incorrect handling of PGP
signature boundaries.
CVE-2015-3407: Module::Signature incorrectly handles files that are not
listed in the SIGNATURE file. This includes some files in the t/
directory that would execute when tests are run.
CVE-2015-3408: Module::Signature uses two argument open() calls to read
the files when generating checksums from the signed manifest, allowing
to embed arbitrary shell commands into the SIGNATURE file that would
execute during the signature verification process. (Closes: #783451)
* Add CVE-2015-3409.patch patch.
CVE-2015-3409: Module::Signature incorrectly handles module loading
allowing to load modules from relative paths in @INC. A remote attacker
providing a malicious module could use this issue to execute arbitrary
code during signature verification. (Closes: #783451)
* Add Fix-signature-tests.patch patch.
Fix signature tests by defaulting to verify(skip=>1) when
$ENV{TEST_SIGNATURE} is true.
Checksums-Sha1:
b6990c71af5da61b71d4bd4bca27098a2958a8b7 2267 libmodule-signature-perl_0.73-1+deb8u1.dsc
0bb005a69aae5f7f7511f5d6b1a61762bca27173 77407 libmodule-signature-perl_0.73.orig.tar.gz
efa31256e138a422964ef3d542398651b4204d82 9228 libmodule-signature-perl_0.73-1+deb8u1.debian.tar.xz
2efa2008b111775f84e708f50af5a1cf5138ec9a 30370 libmodule-signature-perl_0.73-1+deb8u1_all.deb
Checksums-Sha256:
c6077564106e19aa7e3c467691b532e6ba3d816a2b3e616845366acd183ab58d 2267 libmodule-signature-perl_0.73-1+deb8u1.dsc
718520721888ac4a7d930e26c4cd628ca24d60b2b18bddb081b331731a94bbc5 77407 libmodule-signature-perl_0.73.orig.tar.gz
55f91aa141ce5ad92d91f7f09047d11ac6c2983cb23d1198204afb3a39aaefc4 9228 libmodule-signature-perl_0.73-1+deb8u1.debian.tar.xz
edfa422b39a38c2d67defd43914e530c4bc6f180a62612977dd6117e209beb17 30370 libmodule-signature-perl_0.73-1+deb8u1_all.deb
Files:
756f562f239e87355814b389af5746f7 2267 perl optional libmodule-signature-perl_0.73-1+deb8u1.dsc
de27bbca948ba8a13a7f614414cb623d 77407 perl optional libmodule-signature-perl_0.73.orig.tar.gz
2e37f224f43f759c17572680a4260c14 9228 perl optional libmodule-signature-perl_0.73-1+deb8u1.debian.tar.xz
c7e59f278e5e54b3643614501b67109b 30370 perl optional libmodule-signature-perl_0.73-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVVKKZAAoJEAVMuPMTQ89EICEP/3JQ27DwJqOrTr0ZmLSw89Lc
GT2h4o5GsM21QDINGUzCinC8zliVF9lcx7hrIR1nNLPxpWarvR7TF2xGRLCvsoo7
n0l2ALVM5bok05eaLcL96fpiLIawT5iJcwq6HqZ+60FMZhEbKlk7EiLzrJQk5xfs
x0IEdZPyh/pZarY7yPud+qFN6up8o4ydn4hwIcHt1z4A40mJodoJEGmjY5aFS1Rh
OHza0dB4ZGC1xuovf4Nl34ng2xUjMltQyuCGGSBHob7a94FFawnj6qpULLTISlgI
DJ1jFmg8N9w2JJ5Vjp6U+pQSUF3yUpYiR9/GIppuG617l/URgOzL0yIe0zqP03u+
rnXJ4a31lYxu1j48H7aU07oLisjqGcZrYAKKFLktdSkjZksqkl8Vb60b3quVtQDE
Z1O1PI5cnWN93SKnFuO2yZuoiE0FfTZoLTEw1O0c6bfmzokij83dN3vQIUMbIzOy
kwvSgE1/HCKnPVQUmxbMgLQ+/xTOeuTHHn8i/cuwdYxfpOYtMkQCq0qvhmyuOhrV
ObHI8+5HPk4NHeMxqnryMCQzk/J/bStc22o4OnVAF7G7j3yhjrPPVPHtKU5iRNB6
SwNUTWOoeSf0Iuc6xhSYkSo7U6nBgzPK6O8loHOPcDMPpbhYB8erhHpATocpHUrp
6iLpjaV9pSuJif8DwFOZ
=wZmv
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 16 May 2015 18:21:18 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 16 May 2015 18:21:18 GMT) (full text, mbox, link).
Message #22 received at 783451-close@bugs.debian.org (full text, mbox, reply):
Source: libmodule-signature-perl
Source-Version: 0.68-1+deb7u2
We believe that the bug you reported is fixed in the latest version of
libmodule-signature-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 783451@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libmodule-signature-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 14 May 2015 17:35:32 +0200
Source: libmodule-signature-perl
Binary: libmodule-signature-perl
Architecture: source all
Version: 0.68-1+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libmodule-signature-perl - module to manipulate CPAN SIGNATURE files
Closes: 783451
Changes:
libmodule-signature-perl (0.68-1+deb7u2) wheezy-security; urgency=high
.
* Team upload.
* Add CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch patch.
CVE-2015-3406: Module::Signature parses the unsigned portion of the
SIGNATURE file as the signed portion due to incorrect handling of PGP
signature boundaries.
CVE-2015-3407: Module::Signature incorrectly handles files that are not
listed in the SIGNATURE file. This includes some files in the t/
directory that would execute when tests are run.
CVE-2015-3408: Module::Signature uses two argument open() calls to read
the files when generating checksums from the signed manifest, allowing
to embed arbitrary shell commands into the SIGNATURE file that would
execute during the signature verification process. (Closes: #783451)
* Add CVE-2015-3409.patch patch.
CVE-2015-3409: Module::Signature incorrectly handles module loading
allowing to load modules from relative paths in @INC. A remote attacker
providing a malicious module could use this issue to execute arbitrary
code during signature verification. (Closes: #783451)
* Add Fix-signature-tests.patch patch.
Fix signature tests by defaulting to verify(skip=>1) when
$ENV{TEST_SIGNATURE} is true.
Checksums-Sha1:
a66efd7d66a0864beee6eda77cf094000b77891f 2242 libmodule-signature-perl_0.68-1+deb7u2.dsc
d7d640650d6917e30d46d50b9d8806c7abf88a6e 76485 libmodule-signature-perl_0.68.orig.tar.gz
0b29fb6e303e2aba8850a15991e2ecd189d97c5f 10160 libmodule-signature-perl_0.68-1+deb7u2.debian.tar.gz
032c38a36857e7f6cd86e96d3fc627da4c65a48a 31432 libmodule-signature-perl_0.68-1+deb7u2_all.deb
Checksums-Sha256:
fa89b1243e1763f9ba9c4c2cdcfcf6c5baeef33173ef69ea783b9ac0e34b3ddc 2242 libmodule-signature-perl_0.68-1+deb7u2.dsc
623d7d8d26dceac49b043f5bc2d83eea95d6dd75bf09200a6631180774c8eb5f 76485 libmodule-signature-perl_0.68.orig.tar.gz
cbcb8610024bd53fa814bdda96a2c0d912ed8d36b120ac93738e64a5ac883afe 10160 libmodule-signature-perl_0.68-1+deb7u2.debian.tar.gz
d86bdbf028ab12dac67fcad53787fead8a8314294b68c6758dbb084acf8979d2 31432 libmodule-signature-perl_0.68-1+deb7u2_all.deb
Files:
5f306a3659e34b656847b55ec3a5c3d6 2242 perl optional libmodule-signature-perl_0.68-1+deb7u2.dsc
c63c0b5c4e7162fc0c44512e1f832e5e 76485 perl optional libmodule-signature-perl_0.68.orig.tar.gz
f814d419a26b7d3e5160d48e69cdd4ab 10160 perl optional libmodule-signature-perl_0.68-1+deb7u2.debian.tar.gz
a232a8c294fe64680f34724327442b50 31432 perl optional libmodule-signature-perl_0.68-1+deb7u2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVVM9tAAoJEAVMuPMTQ89E0JIP/Rrmo5wjrqqPUyEEqXqbOAK6
c5l54hFsmvQez5r+visFrfRzjQXo6kFnoCLsdy8dMfLGSdYK1lpFtSGtfscvBKQO
LxoC0nHpWlss+6Ok7grI1tIdO01nthoE4QfbN+0yWo5GVRlR+FwLwmkQ6FzhomOE
0nJA7fohx02cHC01pMXvbDpgUyaUIjyUdidXeOtawL4xZDWL0UqKxrBtzeZcJDZY
2qhAeT/tmpNUb3zZBCAi75FZRvx6BsqFwDqMjeTaw6WiWcvytpD8V9qXUnyNuCY8
pnARe3s+O9iXDw4F+IeO3Jz1RmW/bIs7kS+68bIjSdfsereBaQj0CdXrsWdW2tFB
LlJZyGOtLpawgBOuJ3L0JAhF8ml8ohUYPSp9dreOUuYlF6ecwm0O/4R89Hdp///L
A/GMs3K0NXCRiTgnFUUB0eO2YF//HJpobDqYQdIUo8URH6VXhs+MN9xaVCqgMKon
HLzZbWmRwS1vufFxopOO8xc0T2jPYxmHRw2olcxdiG7xgjAioqa9qyRQtvIJ6Si1
gR3qWJeMK/aFUr8+j6HIQ0JASCtB2q+SPc/VTr851oV4C+VC5HXUkKaVT2IfuIo0
G0xS08iwZV+ysHgfuKzfcFiZ4+HQ5UFbm7J6kUoXm106cFJqTHCxV/4dfnyd22aD
d/Fdb4SbY91/FBGi5vuD
=pGAN
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 22 Jun 2015 07:28:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:50:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon