oss-sec mailing list archives
Re: CVE request: Module::Signature before 0.75 - multiple vulnerabilities
From: cve-assign () mitre org
Date: Thu, 23 Apr 2015 08:20:03 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
This commit fixes three flaws: https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f
- Module::Signature could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries.
Use CVE-2015-3406.
- When verifying the contents of a CPAN module, Module::Signature ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would execute automatically during "make test"
Use CVE-2015-3407.
- When generating checksums from the signed manifest, Module::Signature used two argument open() calls to read the files. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process.
Use CVE-2015-3408.
This commit fixes one more flaw: https://github.com/audreyt/module-signature/commit/c41e8885b862b9fce2719449bc9336f0bea658ef - Several modules were loaded at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a malicious module so that they would load from the '.' path in @INC.
Use CVE-2015-3409. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVOOLtAAoJEKllVAevmvmswjcIAKgDnLpQWI+oCy1HDilIRxG5 4HTYpPclTQIvWG+dC+MxwpfEWRw/iMjPrbG3V9ZUn7y34id5dfMIHkV8d8OHmKp7 yJrR6goHV5BjuonL75buXOR+G60eV7QWz3kIvJ+aar+rLR7inRCeBKAKH3gOezp4 53e+LKCyTozCytBgoog8/X8actbQ6p7DIeNapYEmm/nzCtZo4Y1QX+UkKeLzsVUA IuqS4cLyoYotzmFGeu8g0fHaIXmpq+qk4iFRfCkSkUg60l2IQuJWXoatXiU5dva9 3y0kdnddgMBoA6XTxpv2rNJ9aH+g7Invioxt1o/dINOj3xk2Jjpb/8y+c1SClqY= =BTz2 -----END PGP SIGNATURE-----
Current thread:
- CVE request: Module::Signature before 0.75 - multiple vulnerabilities John Lightsey (Apr 06)
- Re: CVE request: Module::Signature before 0.75 - multiple vulnerabilities Salvatore Bonaccorso (Apr 22)
- Re: CVE request: Module::Signature before 0.75 - multiple vulnerabilities cve-assign (Apr 23)