oss-sec mailing list archives
Re: CVE-2013-2145: perl Module::Signature code execution vulnerability
From: 唐鳳 <audreyt () audreyt org>
Date: Thu, 6 Jun 2013 02:42:10 +0800
Russ Allbery <rra () stanford edu> 於 2013/6/6 上午2:24 寫道:
Speaking as a CPAN author, the second would be awesome. For bonus points, once one registers a key with CPAN, CPAN could then even check one's uploads and disallow uploads that aren't signed with the proper key.
Indeed. Note the main design & work for the module was done ~10 years ago, so my recollection is a bit fuzzy, but the
module was designed such that it allows this invocation against a hypothetical CPAN OpenPGP server:
env MODULE_SIGNATURE_KEYSERVER=pgp.cpan.org cpansign verify
At that time PAUSE (the CPAN upload server) was not yet made public, and there were insufficient rounds of tuits to
implement this feature as part of my TPF 2003 grant .
Now that the PAUSE codebase has been released on GitHub since 2010, one can imagine adding a PGP import functionality
into it. That'd be _awesome_.
Cheers,
Audrey
Current thread:
- CVE-2013-2145: perl Module::Signature code execution vulnerability Vincent Danen (Jun 05)
- Re: CVE-2013-2145: perl Module::Signature code execution vulnerability Russ Allbery (Jun 05)
- Re: CVE-2013-2145: perl Module::Signature code execution vulnerability 唐鳳 (Jun 05)
- Re: CVE-2013-2145: perl Module::Signature code execution vulnerability Daniel Kahn Gillmor (Jun 05)
- Re: CVE-2013-2145: perl Module::Signature code execution vulnerability Vincent Danen (Jun 11)
- Re: CVE-2013-2145: perl Module::Signature code execution vulnerability Russ Allbery (Jun 05)