Date: Thu, 23 Apr 2015 08:20:03 -0400 (EDT) From: cve-assign@...re.org To: john@...nuts.net Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: Module::Signature before 0.75 - multiple vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > This commit fixes three flaws: > > https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f > - Module::Signature could be tricked into interpreting the unsigned > portion of a SIGNATURE file as the signed portion due to faulty parsing > of the PGP signature boundaries. Use CVE-2015-3406. > - When verifying the contents of a CPAN module, Module::Signature > ignored some files in the extracted tarball that were not listed in the > signature file. This included some files in the t/ directory that would > execute automatically during "make test" Use CVE-2015-3407. > - When generating checksums from the signed manifest, Module::Signature > used two argument open() calls to read the files. This allowed embedding > arbitrary shell commands into the SIGNATURE file that would execute > during the signature verification process. Use CVE-2015-3408. > This commit fixes one more flaw: > > https://github.com/audreyt/module-signature/commit/c41e8885b862b9fce2719449bc9336f0bea658ef > > - Several modules were loaded at runtime inside the extracted module > directory. Modules like Text::Diff are not guaranteed to be available on > all platforms and could be added to a malicious module so that they > would load from the '.' path in @INC. Use CVE-2015-3409. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVOOLtAAoJEKllVAevmvmswjcIAKgDnLpQWI+oCy1HDilIRxG5 4HTYpPclTQIvWG+dC+MxwpfEWRw/iMjPrbG3V9ZUn7y34id5dfMIHkV8d8OHmKp7 yJrR6goHV5BjuonL75buXOR+G60eV7QWz3kIvJ+aar+rLR7inRCeBKAKH3gOezp4 53e+LKCyTozCytBgoog8/X8actbQ6p7DIeNapYEmm/nzCtZo4Y1QX+UkKeLzsVUA IuqS4cLyoYotzmFGeu8g0fHaIXmpq+qk4iFRfCkSkUg60l2IQuJWXoatXiU5dva9 3y0kdnddgMBoA6XTxpv2rNJ9aH+g7Invioxt1o/dINOj3xk2Jjpb/8y+c1SClqY= =BTz2 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.