[libmodule-signature-perl] 02/04: Add CVE-2015-3409.patch patch
This is an automated email from the git hooks/post-receive script. santiago pushed a commit to branch squeeze-lts in repository libmodule-signature-perl. commit ddc2764cdc1463cf5ad1ba372f34f781f31ffc66 Author: Salvatore Bonaccorso Date: Tue May 12 22:44:48 2015 +0200 Add CVE-2015-3409.patch patch CVE-2015-3409: Module::Signature incorrectly handles module loading allowing to load modules from relative paths in @INC. A remote attacker providing a malicious module could use this issue to execute arbitrary code during signature verification. Closes: #783451 --- debian/patches/CVE-2015-3409.patch | 24 debian/patches/series | 1 + 2 files changed, 25 insertions(+) diff --git a/debian/patches/CVE-2015-3409.patch b/debian/patches/CVE-2015-3409.patch new file mode 100644 index 000..e0ccb7b --- /dev/null +++ b/debian/patches/CVE-2015-3409.patch @@ -0,0 +1,24 @@ +Description: Fix CVE-2015-3409 + CVE-2015-3409: Module::Signature incorrectly handles module loading + allowing to load modules from relative paths in @INC. A remote attacker + providing a malicious module could use this issue to execute arbitrary + code during signature verification. +Origin: upstream, https://github.com/audreyt/module-signature/commit/c41e8885b862b9fce2719449bc9336f0bea658ef +Bug-Debian: https://bugs.debian.org/783451 +Forwarded: not-needed +Author: Audrey Tang +Reviewed-by: Salvatore Bonaccorso +Last-Update: 2015-05-12 +Applied-Upstream: 0.75 + +--- a/lib/Module/Signature.pm b/lib/Module/Signature.pm +@@ -118,6 +118,8 @@ sub _verify { + my $sigtext = shift || ''; + my $plaintext = shift || ''; + ++# Avoid loading modules from relative paths in @INC. ++local @INC = grep { File::Spec->file_name_is_absolute($_) } @INC; + local $SIGNATURE = $signature if $signature ne $SIGNATURE; + + if ($AutoKeyRetrieve and !$CanKeyRetrieve) { diff --git a/debian/patches/series b/debian/patches/series index 2b511c0..d2c2a5b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ CVE-2013-2145.patch CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch +CVE-2015-3409.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libmodule-signature-perl.git ___ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits
[libmodule-signature-perl] 02/04: Add CVE-2015-3409.patch patch
This is an automated email from the git hooks/post-receive script. carnil pushed a commit to branch wheezy in repository libmodule-signature-perl. commit e3c39dc38b37d675a9d00a07dd5d7a1fc727e71c Author: Salvatore Bonaccorso Date: Tue May 12 22:44:48 2015 +0200 Add CVE-2015-3409.patch patch CVE-2015-3409: Module::Signature incorrectly handles module loading allowing to load modules from relative paths in @INC. A remote attacker providing a malicious module could use this issue to execute arbitrary code during signature verification. Closes: #783451 --- debian/patches/CVE-2015-3409.patch | 24 debian/patches/series | 1 + 2 files changed, 25 insertions(+) diff --git a/debian/patches/CVE-2015-3409.patch b/debian/patches/CVE-2015-3409.patch new file mode 100644 index 000..e0ccb7b --- /dev/null +++ b/debian/patches/CVE-2015-3409.patch @@ -0,0 +1,24 @@ +Description: Fix CVE-2015-3409 + CVE-2015-3409: Module::Signature incorrectly handles module loading + allowing to load modules from relative paths in @INC. A remote attacker + providing a malicious module could use this issue to execute arbitrary + code during signature verification. +Origin: upstream, https://github.com/audreyt/module-signature/commit/c41e8885b862b9fce2719449bc9336f0bea658ef +Bug-Debian: https://bugs.debian.org/783451 +Forwarded: not-needed +Author: Audrey Tang +Reviewed-by: Salvatore Bonaccorso +Last-Update: 2015-05-12 +Applied-Upstream: 0.75 + +--- a/lib/Module/Signature.pm b/lib/Module/Signature.pm +@@ -118,6 +118,8 @@ sub _verify { + my $sigtext = shift || ''; + my $plaintext = shift || ''; + ++# Avoid loading modules from relative paths in @INC. ++local @INC = grep { File::Spec->file_name_is_absolute($_) } @INC; + local $SIGNATURE = $signature if $signature ne $SIGNATURE; + + if ($AutoKeyRetrieve and !$CanKeyRetrieve) { diff --git a/debian/patches/series b/debian/patches/series index 2b511c0..d2c2a5b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ CVE-2013-2145.patch CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch +CVE-2015-3409.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libmodule-signature-perl.git ___ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits
[libmodule-signature-perl] 02/04: Add CVE-2015-3409.patch patch
This is an automated email from the git hooks/post-receive script. carnil pushed a commit to annotated tag debian/0.73-1+deb8u1 in repository libmodule-signature-perl. commit 653af65bcd428f704685a2af8270c2c7ef54d1c2 Author: Salvatore Bonaccorso Date: Tue May 12 22:44:48 2015 +0200 Add CVE-2015-3409.patch patch CVE-2015-3409: Module::Signature incorrectly handles module loading allowing to load modules from relative paths in @INC. A remote attacker providing a malicious module could use this issue to execute arbitrary code during signature verification. Closes: #783451 --- debian/patches/CVE-2015-3409.patch | 25 + debian/patches/series | 1 + 2 files changed, 26 insertions(+) diff --git a/debian/patches/CVE-2015-3409.patch b/debian/patches/CVE-2015-3409.patch new file mode 100644 index 000..f3c43fa --- /dev/null +++ b/debian/patches/CVE-2015-3409.patch @@ -0,0 +1,25 @@ +Description: Fix CVE-2015-3409 + CVE-2015-3409: Module::Signature incorrectly handles module loading + allowing to load modules from relative paths in @INC. A remote attacker + providing a malicious module could use this issue to execute arbitrary + code during signature verification. +Closes: #783451 +Origin: upstream, https://github.com/audreyt/module-signature/commit/c41e8885b862b9fce2719449bc9336f0bea658ef +Bug-Debian: https://bugs.debian.org/783451 +Forwarded: not-needed +Author: Audrey Tang +Reviewed-by: Salvatore Bonaccorso +Last-Update: 2015-05-12 +Applied-Upstream: 0.75 + +--- a/lib/Module/Signature.pm b/lib/Module/Signature.pm +@@ -118,6 +118,8 @@ sub _verify { + my $sigtext = shift || ''; + my $plaintext = shift || ''; + ++# Avoid loading modules from relative paths in @INC. ++local @INC = grep { File::Spec->file_name_is_absolute($_) } @INC; + local $SIGNATURE = $signature if $signature ne $SIGNATURE; + + if ($AutoKeyRetrieve and !$CanKeyRetrieve) { diff --git a/debian/patches/series b/debian/patches/series index b503804..01c8f13 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch +CVE-2015-3409.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libmodule-signature-perl.git ___ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits