oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: Module::Signature before 0.75 - multiple vulnerabilities

From: cve-assign () mitre org
Date: Thu, 23 Apr 2015 08:20:03 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


This commit fixes three flaws:

https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f



- Module::Signature could be tricked into interpreting the unsigned
portion of a SIGNATURE file as the signed portion due to faulty parsing
of the PGP signature boundaries.


Use CVE-2015-3406.



- When verifying the contents of a CPAN module, Module::Signature
ignored some files in the extracted tarball that were not listed in the
signature file. This included some files in the t/ directory that would
execute automatically during "make test"


Use CVE-2015-3407.



- When generating checksums from the signed manifest, Module::Signature
used two argument open() calls to read the files. This allowed embedding
arbitrary shell commands into the SIGNATURE file that would execute
during the signature verification process.


Use CVE-2015-3408.



This commit fixes one more flaw:

https://github.com/audreyt/module-signature/commit/c41e8885b862b9fce2719449bc9336f0bea658ef

- Several modules were loaded at runtime inside the extracted module
directory. Modules like Text::Diff are not guaranteed to be available on
all platforms and could be added to a malicious module so that they
would load from the '.' path in @INC.


Use CVE-2015-3409.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVOOLtAAoJEKllVAevmvmswjcIAKgDnLpQWI+oCy1HDilIRxG5
4HTYpPclTQIvWG+dC+MxwpfEWRw/iMjPrbG3V9ZUn7y34id5dfMIHkV8d8OHmKp7
yJrR6goHV5BjuonL75buXOR+G60eV7QWz3kIvJ+aar+rLR7inRCeBKAKH3gOezp4
53e+LKCyTozCytBgoog8/X8actbQ6p7DIeNapYEmm/nzCtZo4Y1QX+UkKeLzsVUA
IuqS4cLyoYotzmFGeu8g0fHaIXmpq+qk4iFRfCkSkUg60l2IQuJWXoatXiU5dva9
3y0kdnddgMBoA6XTxpv2rNJ9aH+g7Invioxt1o/dINOj3xk2Jjpb/8y+c1SClqY=
=BTz2
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: