Bugzilla – Bug 928382
VUL-0: CVE-2015-3406,CVE-2015-3407,CVE-2015-3408,CVE-2015-3409: perl-Module-Signature: Module::Signature multiple vulnerabilities
Last modified: 2016-01-19 11:13:28 UTC
via oss-sec http://seclists.org/oss-sec/2015/q2/263 > A new version of Module::Signature, was released to fix multiple > vulnerabilities. Module::Signature is used by most CPAN clients to > validate PAUSE GPG signature files on the CPAN mirrors and GPG signature > files inside individual Perl module tarballs. > > The changelog for the 0.75 version is here: > > https://metacpan.org/changes/distribution/Module-Signature > > This commit fixes three flaws: > > https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f > > - Module::Signature could be tricked into interpreting the unsigned > portion of a SIGNATURE file as the signed portion due to faulty parsing > of the PGP signature boundaries. CVE-2015-3406 > - When verifying the contents of a CPAN module, Module::Signature > ignored some files in the extracted tarball that were not listed in the > signature file. This included some files in the t/ directory that would > execute automatically during "make test" CVE-2015-3407 > - When generating checksums from the signed manifest, Module::Signature > used two argument open() calls to read the files. This allowed embedding > arbitrary shell commands into the SIGNATURE file that would execute > during the signature verification process. CVE-2015-3408 > This commit fixes one more flaw: > > https://github.com/audreyt/module-signature/commit/c41e8885b862b9fce2719449bc9336f0bea658ef > > - Several modules were loaded at runtime inside the extracted module > directory. Modules like Text::Diff are not guaranteed to be available on > all platforms and could be added to a malicious module so that they > would load from the '.' path in @INC. CVE-2015-3409 openSUSE:13.1 perl-Module-Signature 0.73 affected openSUSE:13.2 perl-Module-Signature 0.73 affected openSUSE:Factory perl-Module-Signature 0.78 already fixed. Package has no dedicated bugowner/maintainer set, adding project maintainers and recent updaters. Any takers? References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3406 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3407 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3408 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3409
bugbot adjusting priority
Maintenace Request created https://build.opensuse.org/request/show/352653
(In reply to Christian Wittmer from comment #2) > Maintenace Request created > https://build.opensuse.org/request/show/352653 Thanks, fixed a typo in the CVE and sent https://build.opensuse.org/request/show/353046 to the devel package
Update is running. Already fixed in openSUSE Leap 42.1, removed that portion of the update.
Releasing update
openSUSE-SU-2016:0163-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 928382 CVE References: CVE-2015-3406,CVE-2015-3407,CVE-2015-3408,CVE-2015-3409 Sources used: openSUSE 13.2 (src): perl-Module-Signature-0.79-4.4.1 openSUSE 13.1 (src): perl-Module-Signature-0.79-2.4.1