[libmodule-signature-perl] 02/04: Add CVE-2015-3409.patch patch
This is an automated email from the git hooks/post-receive script.
santiago pushed a commit to branch squeeze-lts
in repository libmodule-signature-perl.
commit ddc2764cdc1463cf5ad1ba372f34f781f31ffc66
Author: Salvatore Bonaccorso
Date: Tue May 12 22:44:48 2015 +0200
Add CVE-2015-3409.patch patch
CVE-2015-3409: Module::Signature incorrectly handles module loading
allowing to load modules from relative paths in @INC. A remote attacker
providing a malicious module could use this issue to execute arbitrary
code during signature verification.
Closes: #783451
---
debian/patches/CVE-2015-3409.patch | 24
debian/patches/series | 1 +
2 files changed, 25 insertions(+)
diff --git a/debian/patches/CVE-2015-3409.patch
b/debian/patches/CVE-2015-3409.patch
new file mode 100644
index 000..e0ccb7b
--- /dev/null
+++ b/debian/patches/CVE-2015-3409.patch
@@ -0,0 +1,24 @@
+Description: Fix CVE-2015-3409
+ CVE-2015-3409: Module::Signature incorrectly handles module loading
+ allowing to load modules from relative paths in @INC. A remote attacker
+ providing a malicious module could use this issue to execute arbitrary
+ code during signature verification.
+Origin: upstream,
https://github.com/audreyt/module-signature/commit/c41e8885b862b9fce2719449bc9336f0bea658ef
+Bug-Debian: https://bugs.debian.org/783451
+Forwarded: not-needed
+Author: Audrey Tang
+Reviewed-by: Salvatore Bonaccorso
+Last-Update: 2015-05-12
+Applied-Upstream: 0.75
+
+--- a/lib/Module/Signature.pm
b/lib/Module/Signature.pm
+@@ -118,6 +118,8 @@ sub _verify {
+ my $sigtext = shift || '';
+ my $plaintext = shift || '';
+
++# Avoid loading modules from relative paths in @INC.
++local @INC = grep { File::Spec->file_name_is_absolute($_) } @INC;
+ local $SIGNATURE = $signature if $signature ne $SIGNATURE;
+
+ if ($AutoKeyRetrieve and !$CanKeyRetrieve) {
diff --git a/debian/patches/series b/debian/patches/series
index 2b511c0..d2c2a5b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
CVE-2013-2145.patch
CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch
+CVE-2015-3409.patch
--
Alioth's /usr/local/bin/git-commit-notice on
/srv/git.debian.org/git/pkg-perl/packages/libmodule-signature-perl.git
___
Pkg-perl-cvs-commits mailing list
Pkg-perl-cvs-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits
[libmodule-signature-perl] 02/04: Add CVE-2015-3409.patch patch
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch wheezy
in repository libmodule-signature-perl.
commit e3c39dc38b37d675a9d00a07dd5d7a1fc727e71c
Author: Salvatore Bonaccorso
Date: Tue May 12 22:44:48 2015 +0200
Add CVE-2015-3409.patch patch
CVE-2015-3409: Module::Signature incorrectly handles module loading
allowing to load modules from relative paths in @INC. A remote attacker
providing a malicious module could use this issue to execute arbitrary
code during signature verification.
Closes: #783451
---
debian/patches/CVE-2015-3409.patch | 24
debian/patches/series | 1 +
2 files changed, 25 insertions(+)
diff --git a/debian/patches/CVE-2015-3409.patch
b/debian/patches/CVE-2015-3409.patch
new file mode 100644
index 000..e0ccb7b
--- /dev/null
+++ b/debian/patches/CVE-2015-3409.patch
@@ -0,0 +1,24 @@
+Description: Fix CVE-2015-3409
+ CVE-2015-3409: Module::Signature incorrectly handles module loading
+ allowing to load modules from relative paths in @INC. A remote attacker
+ providing a malicious module could use this issue to execute arbitrary
+ code during signature verification.
+Origin: upstream,
https://github.com/audreyt/module-signature/commit/c41e8885b862b9fce2719449bc9336f0bea658ef
+Bug-Debian: https://bugs.debian.org/783451
+Forwarded: not-needed
+Author: Audrey Tang
+Reviewed-by: Salvatore Bonaccorso
+Last-Update: 2015-05-12
+Applied-Upstream: 0.75
+
+--- a/lib/Module/Signature.pm
b/lib/Module/Signature.pm
+@@ -118,6 +118,8 @@ sub _verify {
+ my $sigtext = shift || '';
+ my $plaintext = shift || '';
+
++# Avoid loading modules from relative paths in @INC.
++local @INC = grep { File::Spec->file_name_is_absolute($_) } @INC;
+ local $SIGNATURE = $signature if $signature ne $SIGNATURE;
+
+ if ($AutoKeyRetrieve and !$CanKeyRetrieve) {
diff --git a/debian/patches/series b/debian/patches/series
index 2b511c0..d2c2a5b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
CVE-2013-2145.patch
CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch
+CVE-2015-3409.patch
--
Alioth's /usr/local/bin/git-commit-notice on
/srv/git.debian.org/git/pkg-perl/packages/libmodule-signature-perl.git
___
Pkg-perl-cvs-commits mailing list
Pkg-perl-cvs-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits
[libmodule-signature-perl] 02/04: Add CVE-2015-3409.patch patch
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to annotated tag debian/0.73-1+deb8u1
in repository libmodule-signature-perl.
commit 653af65bcd428f704685a2af8270c2c7ef54d1c2
Author: Salvatore Bonaccorso
Date: Tue May 12 22:44:48 2015 +0200
Add CVE-2015-3409.patch patch
CVE-2015-3409: Module::Signature incorrectly handles module loading
allowing to load modules from relative paths in @INC. A remote attacker
providing a malicious module could use this issue to execute arbitrary
code during signature verification.
Closes: #783451
---
debian/patches/CVE-2015-3409.patch | 25 +
debian/patches/series | 1 +
2 files changed, 26 insertions(+)
diff --git a/debian/patches/CVE-2015-3409.patch
b/debian/patches/CVE-2015-3409.patch
new file mode 100644
index 000..f3c43fa
--- /dev/null
+++ b/debian/patches/CVE-2015-3409.patch
@@ -0,0 +1,25 @@
+Description: Fix CVE-2015-3409
+ CVE-2015-3409: Module::Signature incorrectly handles module loading
+ allowing to load modules from relative paths in @INC. A remote attacker
+ providing a malicious module could use this issue to execute arbitrary
+ code during signature verification.
+Closes: #783451
+Origin: upstream,
https://github.com/audreyt/module-signature/commit/c41e8885b862b9fce2719449bc9336f0bea658ef
+Bug-Debian: https://bugs.debian.org/783451
+Forwarded: not-needed
+Author: Audrey Tang
+Reviewed-by: Salvatore Bonaccorso
+Last-Update: 2015-05-12
+Applied-Upstream: 0.75
+
+--- a/lib/Module/Signature.pm
b/lib/Module/Signature.pm
+@@ -118,6 +118,8 @@ sub _verify {
+ my $sigtext = shift || '';
+ my $plaintext = shift || '';
+
++# Avoid loading modules from relative paths in @INC.
++local @INC = grep { File::Spec->file_name_is_absolute($_) } @INC;
+ local $SIGNATURE = $signature if $signature ne $SIGNATURE;
+
+ if ($AutoKeyRetrieve and !$CanKeyRetrieve) {
diff --git a/debian/patches/series b/debian/patches/series
index b503804..01c8f13 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch
+CVE-2015-3409.patch
--
Alioth's /usr/local/bin/git-commit-notice on
/srv/git.debian.org/git/pkg-perl/packages/libmodule-signature-perl.git
___
Pkg-perl-cvs-commits mailing list
Pkg-perl-cvs-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits
