This is an automated email from the git hooks/post-receive script. santiago pushed a commit to branch squeeze-lts in repository libmodule-signature-perl.
commit d071e946422a3e9109bbd24a814db1ad770efce4 Author: Santiago Ruano Rincón <santi...@debian.org> Date: Mon Jun 29 17:17:41 2015 +0200 Backport CVE-2015-3406_CVE-2015-3407_CVE-2015-3408 to squeeze --- ...CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch | 59 +++++++++++++--------- 1 file changed, 36 insertions(+), 23 deletions(-) diff --git a/debian/patches/CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch b/debian/patches/CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch index 80f996f..7af1eab 100644 --- a/debian/patches/CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch +++ b/debian/patches/CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch @@ -21,35 +21,48 @@ Applied-Upstream: 0.75 --- a/Makefile.PL +++ b/Makefile.PL -@@ -9,6 +9,7 @@ readme_from 'lib/Module/Signature.pm +@@ -9,6 +9,7 @@ repository 'http://github.com/audreyt/module-signature'; install_script 'script/cpansign'; - build_requires 'Test::More', 0, 'IPC::Run', 0; + build_requires 'Test::More'; +requires 'File::Temp'; # On Win32 (excluding cygwin) we know that IO::Socket::INET, # which is needed for keyserver stuff, doesn't work. In fact --- a/lib/Module/Signature.pm +++ b/lib/Module/Signature.pm -@@ -57,6 +57,8 @@ sub _cipher_map { - my @lines = split /\015?\012/, $sigtext; - my %map; - for my $line (@lines) { -+ last if $line eq '-----BEGIN PGP SIGNATURE-----'; -+ next if $line =~ /^---/ .. $line eq ''; - my($cipher,$digest,$file) = split " ", $line, 3; - return unless defined $file; - $map{$file} = [$cipher, $digest]; -@@ -65,7 +67,7 @@ sub _cipher_map { - } - +@@ -52,8 +52,20 @@ + $AutoKeyRetrieve = 1; + $CanKeyRetrieve = undef; + ++sub _cipher_map { ++ my($sigtext) = @_; ++ my @lines = split /\015?\012/, $sigtext; ++ my %map; ++ for my $line (@lines) { ++ my($cipher,$digest,$file) = split " ", $line, 3; ++ return unless defined $file; ++ $map{$file} = [$cipher, $digest]; ++ } ++ return \%map; ++} ++ sub verify { - my %args = ( skip => 1, @_ ); + my %args = ( @_ ); my $rv; (-r $SIGNATURE) or do { -@@ -177,6 +179,11 @@ sub _fullcheck { +@@ -66,7 +78,7 @@ + return SIGNATURE_MALFORMED; + }; + +- (my ($cipher) = ($sigtext =~ /^(\w+) /)) or do { ++ (my ($cipher) = _cipher_map($sigtext)) or do { + warn "==> MALFORMED Signature file! <==\n"; + return SIGNATURE_MALFORMED; + }; +@@ -160,6 +172,11 @@ ($mani, $file) = ExtUtils::Manifest::fullcheck(); } else { @@ -61,7 +74,7 @@ Applied-Upstream: 0.75 ($mani, $file) = ExtUtils::Manifest::fullcheck(); } -@@ -222,6 +229,11 @@ sub _verify_gpg { +@@ -199,6 +216,11 @@ my $keyserver = _keyserver($version); @@ -73,7 +86,7 @@ Applied-Upstream: 0.75 my @quiet = $Verbose ? () : qw(-q --logger-fd=1); my @cmd = ( qw(gpg --verify --batch --no-tty), @quiet, ($KeyServer ? ( -@@ -229,7 +241,7 @@ sub _verify_gpg { +@@ -206,7 +228,7 @@ ($AutoKeyRetrieve and $version ge '1.0.7') ? '--keyserver-options=auto-key-retrieve' : () @@ -82,7 +95,7 @@ Applied-Upstream: 0.75 ); my $output = ''; -@@ -241,6 +253,7 @@ sub _verify_gpg { +@@ -218,6 +240,7 @@ my $cmd = join ' ', @cmd; $output = `$cmd`; } @@ -90,7 +103,7 @@ Applied-Upstream: 0.75 if( $? ) { print STDERR $output; -@@ -269,7 +282,7 @@ sub _verify_crypt_openpgp { +@@ -246,7 +269,7 @@ my $pgp = Crypt::OpenPGP->new( ($KeyServer) ? ( KeyServer => $KeyServer, AutoKeyRetrieve => $AutoKeyRetrieve ) : (), ); @@ -99,7 +112,7 @@ Applied-Upstream: 0.75 or die $pgp->errstr; return SIGNATURE_BAD if (!$rv->{Validity} and $AutoKeyRetrieve); -@@ -292,32 +305,35 @@ sub _read_sigfile { +@@ -269,32 +292,35 @@ my $well_formed; local *D; @@ -142,7 +155,7 @@ Applied-Upstream: 0.75 return $ok if $str1 eq $str2; -@@ -328,7 +344,7 @@ sub _compare { +@@ -305,7 +331,7 @@ } else { local (*D, *S); @@ -151,7 +164,7 @@ Applied-Upstream: 0.75 open D, "| diff -u $SIGNATURE -" or (warn "Could not call diff: $!", return SIGNATURE_MISMATCH); while (<S>) { print D $_ if (1 .. /^-----BEGIN PGP SIGNED MESSAGE-----/); -@@ -391,9 +407,9 @@ sub _sign_gpg { +@@ -368,9 +394,9 @@ die "Cannot find $sigfile.tmp, signing aborted.\n"; }; @@ -163,7 +176,7 @@ Applied-Upstream: 0.75 unlink "$sigfile.tmp"; die "Could not write to $sigfile: $!"; }; -@@ -576,7 +592,7 @@ sub _mkdigest_files { +@@ -531,7 +557,7 @@ } else { local *F; -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libmodule-signature-perl.git _______________________________________________ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits