This is an automated email from the git hooks/post-receive script. carnil pushed a commit to branch squeeze-lts in repository libmodule-signature-perl.
commit dc9e2d17c8b2ab813479725de56b85870cfde32a Merge: f3c139b 7340d85 Author: Santiago Ruano Rincón <santiag...@riseup.net> Date: Wed Jul 1 12:20:06 2015 +0200 Imported Debian patch 0.63-1+squeeze2 debian/changelog | 22 +++++++++++++ ...CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch | 36 ++++++++++++++-------- debian/patches/CVE-2015-3409.patch | 2 +- 3 files changed, 47 insertions(+), 13 deletions(-) diff --cc debian/changelog index 9e4b80f,0000000..f95e9fd mode 100644,000000..100644 --- a/debian/changelog +++ b/debian/changelog @@@ -1,150 -1,0 +1,172 @@@ ++libmodule-signature-perl (0.63-1+squeeze2) squeeze-lts; urgency=medium ++ ++ * Non-maintainer upload by the Squeeze LTS team. ++ * Add CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch. ++ CVE-2015-3406: Module::Signature parses the unsigned portion of the ++ SIGNATURE file as the signed portion due to incorrect handling of PGP ++ signature boundaries. ++ CVE-2015-3407: Module::Signature incorrectly handles files that are not ++ listed in the SIGNATURE file. This includes some files in the t/ ++ directory that would execute when tests are run. ++ CVE-2015-3408: Module::Signature uses two argument open() calls to read ++ the files when generating checksums from the signed manifest, allowing ++ to embed arbitrary shell commands into the SIGNATURE file that would ++ execute during the signature verification process. ++ * Add CVE-2015-3409.patch. ++ CVE-2015-3409: Module::Signature incorrectly handles module loading ++ allowing to load modules from relative paths in @INC. A remote attacker ++ providing a malicious module could use this issue to execute arbitrary ++ code during signature verification. ++ ++ -- Santiago Ruano Rincón <santiag...@riseup.net> Wed, 01 Jul 2015 12:20:06 +0200 ++ +libmodule-signature-perl (0.63-1+squeeze1) squeeze; urgency=low + + * Team upload. + * Add CVE-2013-2145.patch. + CVE-2013-2145: Fixes arbitrary code execution when verifying SIGNATURE. + (Closes: #711239) + + -- Salvatore Bonaccorso <car...@debian.org> Tue, 18 Jun 2013 23:25:09 +0200 + +libmodule-signature-perl (0.63-1) unstable; urgency=low + + [ Jonathan Yu ] + * New upstream release + * No longer needs --with quilt + * Update copyright information + + [ Krzysztof Krzyżaniak (eloy) ] + * New upstream release + * debian/control: update Standards-Version to 3.8.4 without any changes + * debian/copyright: update dates + * debian/source/format: created with value "3.0 (quilt)" + * debian/README.source removed since new package type + * debian/patches: removed, fixed upstream + + -- Jonathan Yu <jaw...@cpan.org> Wed, 07 Apr 2010 12:14:53 -0400 + +libmodule-signature-perl (0.61-1) unstable; urgency=low + + [ Jonathan Yu ] + * New upstream release + * Use new short debhelper rules format + * Add myself to Uploaders and Copyright + * Rewrite control description + * Update copyright information (we're now using CC0) + * Upgrade to debhelper 7.2.13 (for Module::AutoInstall) + * Refresh keyserver.patch; add header + * Remove unnecessary build dependencies + + [ gregor herrmann ] + * Add debian/README.source to document quilt usage, as required by + Debian Policy since 3.8.0. + * debian/control: Changed: Switched Vcs-Browser field to ViewSVN + (source stanza). + * debian/control: Added: ${misc:Depends} to Depends: field. + * Change my email address. + + [ Nathan Handler ] + * debian/watch: Update to ignore development releases. + + -- Jonathan Yu <jaw...@cpan.org> Mon, 30 Nov 2009 15:57:30 -0500 + +libmodule-signature-perl (0.55-2) unstable; urgency=low + + * debian/control: Added: Vcs-Svn field (source stanza); Vcs-Browser + field (source stanza); Homepage field (source stanza). Removed: XS- + Vcs-Svn fields. + * debian/rules: + - delete /usr/lib/perl5 only if it exists (closes: #467870) + - update based on dh-make-perl's templates + - don't install README any more (no additional information) + * debian/watch: use dist-based URL. + * Set Standards-Version to 3.7.3 (no changes). + * Add debian/compat instead of setting DH_COMPAT in debian/rules. + * debian/copyright: add download URL and copy copyright/license terms + verbatim from README to match reality. + * Split the changes regarding the default keyserver (cf. #293080) out to + keyserver.patch; and don't change the keyserver only in the test (which + isn't actually run because it would fail due to the patch -- d'oh) but + also in the module (and it's documentation) itself, which was the + intention of the bug submitter ... Add quilt framework. + + -- gregor herrmann <gregor+deb...@comodo.priv.at> Sun, 09 Mar 2008 00:16:07 +0100 + +libmodule-signature-perl (0.55-1) unstable; urgency=low + + * New upstream release + * debian/control: + + Standards-Version: increased to 3.7.2.1 + + -- Krzysztof Krzyzaniak (eloy) <e...@debian.org> Wed, 2 Aug 2006 16:13:43 +0200 + +libmodule-signature-perl (0.54-1) unstable; urgency=low + + * New upstream release. + * Standard-Version upgraded to 3.7.2 (no changes needed). + * Debhelper compatibility level upgraded to 5. + * Move several dependencies to Build-Depends-Indep, as required by Policy. + * Remove empty /usr/lib/perl5 directory from package. + + -- gregor herrmann <gregor+deb...@comodo.priv.at> Sun, 14 May 2006 01:45:03 +0200 + +libmodule-signature-perl (0.53-1) unstable; urgency=low + + * New upstream release, taking package for Perl Group + (closes: #329595) (closes: #357075) + * debian/watch - added + * debian/control: + - Standards-Version: upgraded to 3.6.2 + - Uploaders: added me + - Maintainer: set to Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org> + - libdigest-sha-perl added to dependencies + * debian/rules: + - compat increased to 4 + - added PERL_MM_USE_DEFAULT=1 + + -- Krzysztof Krzyzaniak (eloy) <e...@debian.org> Wed, 15 Mar 2006 17:18:22 +0100 + +libmodule-signature-perl (0.44-3) unstable; urgency=low + + * Re-upload with full source, as the 0.44-1 upload was borked so the + 0.44-2 upload was refused. + + -- Chip Salzenberg <c...@debian.org> Fri, 8 Apr 2005 18:28:23 -0400 + +libmodule-signature-perl (0.44-2) unstable; urgency=low + + * Default to 'subkeys.pgp.net', not 'pgp.mit.edu'. (closes: #293080) + * Clean up dependencies. + + -- Chip Salzenberg <c...@debian.org> Fri, 8 Apr 2005 17:42:20 -0400 + +libmodule-signature-perl (0.44-1) unstable; urgency=medium + + * New upstream release. + + -- Chip Salzenberg <c...@debian.org> Tue, 8 Mar 2005 12:43:12 -0500 + +libmodule-signature-perl (0.35-2) unstable; urgency=high + + * Fix Build-Depends by deleting my hacked dpkg-source. + + -- Chip Salzenberg <c...@debian.org> Sun, 5 Oct 2003 21:45:16 -0400 + +libmodule-signature-perl (0.35-1) unstable; urgency=low + + * New upstream release. + + -- Chip Salzenberg <c...@debian.org> Fri, 3 Oct 2003 19:30:47 -0400 + +libmodule-signature-perl (0.26-1) unstable; urgency=low + + * New upstream release. + + -- Chip Salzenberg <c...@debian.org> Thu, 24 Jul 2003 18:12:17 -0400 + +libmodule-signature-perl (0.21-1) unstable; urgency=low + + * Initial Release. + + -- Chip Salzenberg <c...@debian.org> Sat, 15 Feb 2003 15:18:20 -0500 diff --cc debian/patches/CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch index 7af1eab,0000000..abc5b02 mode 100644,000000..100644 --- a/debian/patches/CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch +++ b/debian/patches/CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch @@@ -1,187 -1,0 +1,199 @@@ +Description: Fix CVE-2015-3406, CVE-2015-3407 and CVE-2015-3408 + CVE-2015-3406: Module::Signature parses the unsigned portion of the + SIGNATURE file as the signed portion due to incorrect handling of PGP + signature boundaries. + . + CVE-2015-3407: Module::Signature incorrectly handles files that are not + listed in the SIGNATURE file. This includes some files in the t/ + directory that would execute when tests are run. + . + CVE-2015-3408: Module::Signature uses two argument open() calls to read + the files when generating checksums from the signed manifest, allowing + to embed arbitrary shell commands into the SIGNATURE file that would + execute during the signature verification process. +Origin: upstream, https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f +Bug-Debian: https://bugs.debian.org/783451 +Forwarded: not-needed +Author: Audrey Tang <audr...@audreyt.org> +Reviewed-by: Salvatore Bonaccorso <car...@debian.org> - Last-Update: 2015-05-12 ++Reviewed-by: Santiago Ruano Rincón <santiag...@riseup.net> ++Last-Update: 2015-06-30 +Applied-Upstream: 0.75 + +--- a/Makefile.PL ++++ b/Makefile.PL +@@ -9,6 +9,7 @@ + repository 'http://github.com/audreyt/module-signature'; + install_script 'script/cpansign'; + build_requires 'Test::More'; ++requires 'File::Temp'; + + # On Win32 (excluding cygwin) we know that IO::Socket::INET, + # which is needed for keyserver stuff, doesn't work. In fact +--- a/lib/Module/Signature.pm ++++ b/lib/Module/Signature.pm - @@ -52,8 +52,20 @@ ++@@ -52,8 +52,22 @@ + $AutoKeyRetrieve = 1; + $CanKeyRetrieve = undef; + ++sub _cipher_map { ++ my($sigtext) = @_; ++ my @lines = split /\015?\012/, $sigtext; ++ my %map; ++ for my $line (@lines) { +++ last if $line eq '-----BEGIN PGP SIGNATURE-----'; +++ next if $line =~ /^---/ .. $line eq ''; ++ my($cipher,$digest,$file) = split " ", $line, 3; ++ return unless defined $file; ++ $map{$file} = [$cipher, $digest]; ++ } ++ return \%map; ++} ++ + sub verify { +- my %args = ( skip => 1, @_ ); ++ my %args = ( @_ ); + my $rv; + + (-r $SIGNATURE) or do { - @@ -66,7 +78,7 @@ ++@@ -66,7 +80,7 @@ + return SIGNATURE_MALFORMED; + }; + +- (my ($cipher) = ($sigtext =~ /^(\w+) /)) or do { ++ (my ($cipher) = _cipher_map($sigtext)) or do { + warn "==> MALFORMED Signature file! <==\n"; + return SIGNATURE_MALFORMED; + }; - @@ -160,6 +172,11 @@ ++@@ -160,6 +174,11 @@ + ($mani, $file) = ExtUtils::Manifest::fullcheck(); + } + else { ++ my $_maniskip = &ExtUtils::Manifest::maniskip; ++ local *ExtUtils::Manifest::maniskip = sub { sub { ++ return unless $skip; ++ return $_maniskip->(@_); ++ } }; + ($mani, $file) = ExtUtils::Manifest::fullcheck(); + } + - @@ -199,6 +216,11 @@ ++@@ -199,6 +218,11 @@ + + my $keyserver = _keyserver($version); + ++ require File::Temp; ++ my $fh = File::Temp->new(); ++ print $fh $sigtext; ++ close $fh; ++ + my @quiet = $Verbose ? () : qw(-q --logger-fd=1); + my @cmd = ( + qw(gpg --verify --batch --no-tty), @quiet, ($KeyServer ? ( - @@ -206,7 +228,7 @@ ++@@ -206,7 +230,7 @@ + ($AutoKeyRetrieve and $version ge '1.0.7') + ? '--keyserver-options=auto-key-retrieve' + : () +- ) : ()), $SIGNATURE ++ ) : ()), $fh->filename + ); + + my $output = ''; - @@ -218,6 +240,7 @@ ++@@ -218,6 +242,7 @@ + my $cmd = join ' ', @cmd; + $output = `$cmd`; + } ++ unlink $fh->filename; + + if( $? ) { + print STDERR $output; - @@ -246,7 +269,7 @@ ++@@ -246,7 +271,7 @@ + my $pgp = Crypt::OpenPGP->new( + ($KeyServer) ? ( KeyServer => $KeyServer, AutoKeyRetrieve => $AutoKeyRetrieve ) : (), + ); +- my $rv = $pgp->handle( Filename => $SIGNATURE ) ++ my $rv = $pgp->handle( Data => $sigtext ) + or die $pgp->errstr; + + return SIGNATURE_BAD if (!$rv->{Validity} and $AutoKeyRetrieve); - @@ -269,32 +292,35 @@ ++@@ -269,32 +294,35 @@ + my $well_formed; + + local *D; +- open D, $sigfile or die "Could not open $sigfile: $!"; ++ open D, "< $sigfile" or die "Could not open $sigfile: $!"; + + if ($] >= 5.006 and <D> =~ /\r/) { + close D; +- open D, $sigfile or die "Could not open $sigfile: $!"; ++ open D, '<', $sigfile or die "Could not open $sigfile: $!"; + binmode D, ':crlf'; + } else { + close D; +- open D, $sigfile or die "Could not open $sigfile: $!"; ++ open D, "< $sigfile" or die "Could not open $sigfile: $!"; + } + ++ my $begin = "-----BEGIN PGP SIGNED MESSAGE-----\n"; ++ my $end = "-----END PGP SIGNATURE-----\n"; + while (<D>) { +- next if (1 .. /^-----BEGIN PGP SIGNED MESSAGE-----/); +- last if /^-----BEGIN PGP SIGNATURE/; +- ++ next if (1 .. ($_ eq $begin)); + $signature .= $_; ++ return "$begin$signature" if $_ eq $end; + } + +- return ((split(/\n+/, $signature, 2))[1]); ++ return; + } + + sub _compare { + my ($str1, $str2, $ok) = @_; + + # normalize all linebreaks ++ $str1 =~ s/^-----BEGIN PGP SIGNED MESSAGE-----\n(?:.+\n)*\n//; + $str1 =~ s/[^\S ]+/\n/g; $str2 =~ s/[^\S ]+/\n/g; ++ $str1 =~ s/-----BEGIN PGP SIGNATURE-----\n(?:.+\n)*$//; + + return $ok if $str1 eq $str2; + - @@ -305,7 +331,7 @@ ++@@ -305,7 +333,7 @@ + } + else { + local (*D, *S); +- open S, $SIGNATURE or die "Could not open $SIGNATURE: $!"; ++ open S, "< $SIGNATURE" or die "Could not open $SIGNATURE: $!"; + open D, "| diff -u $SIGNATURE -" or (warn "Could not call diff: $!", return SIGNATURE_MISMATCH); + while (<S>) { + print D $_ if (1 .. /^-----BEGIN PGP SIGNED MESSAGE-----/); - @@ -368,9 +394,9 @@ ++@@ -368,9 +396,9 @@ + die "Cannot find $sigfile.tmp, signing aborted.\n"; + }; + +- open D, "$sigfile.tmp" or die "Cannot open $sigfile.tmp: $!"; ++ open D, "< $sigfile.tmp" or die "Cannot open $sigfile.tmp: $!"; + +- open S, ">$sigfile" or do { ++ open S, "> $sigfile" or do { + unlink "$sigfile.tmp"; + die "Could not write to $sigfile: $!"; + }; - @@ -531,7 +557,7 @@ ++@@ -492,7 +520,7 @@ ++ ++ sub _mkdigest_files { ++ my $p = shift; ++- my $algorithm = shift || $Cipher; +++ my $algorithm = $Cipher; ++ my $dosnames = (defined(&Dos::UseLFN) && Dos::UseLFN()==0); ++ my $read = ExtUtils::Manifest::maniread() || {}; ++ my $found = ExtUtils::Manifest::manifind($p); ++@@ -531,7 +559,7 @@ + } + else { + local *F; +- open F, $file or die "Cannot open $file for reading: $!"; ++ open F, "< $file" or die "Cannot open $file for reading: $!"; + if (-B $file) { + binmode(F); + $obj->addfile(*F); diff --cc debian/patches/CVE-2015-3409.patch index f02cbec,0000000..300ee16 mode 100644,000000..100644 --- a/debian/patches/CVE-2015-3409.patch +++ b/debian/patches/CVE-2015-3409.patch @@@ -1,24 -1,0 +1,24 @@@ +Description: Fix CVE-2015-3409 + CVE-2015-3409: Module::Signature incorrectly handles module loading + allowing to load modules from relative paths in @INC. A remote attacker + providing a malicious module could use this issue to execute arbitrary + code during signature verification. +Origin: upstream, https://github.com/audreyt/module-signature/commit/c41e8885b862b9fce2719449bc9336f0bea658ef +Bug-Debian: https://bugs.debian.org/783451 +Forwarded: not-needed +Author: Audrey Tang <audr...@audreyt.org> +Reviewed-by: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2015-05-12 +Applied-Upstream: 0.75 + +--- a/lib/Module/Signature.pm ++++ b/lib/Module/Signature.pm - @@ -116,6 +116,8 @@ ++@@ -104,6 +104,8 @@ + my $sigtext = shift || ''; + my $plaintext = shift || ''; + ++ # Avoid loading modules from relative paths in @INC. ++ local @INC = grep { File::Spec->file_name_is_absolute($_) } @INC; + local $SIGNATURE = $signature if $signature ne $SIGNATURE; + + if ($AutoKeyRetrieve and !$CanKeyRetrieve) { -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libmodule-signature-perl.git _______________________________________________ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits