[SECURITY] [DLA 264-1] libmodule-signature-perl security update

[news 28]

Package : libmodule-signature-perl

Version : 0.63-1+squeeze2

CVE ID : CVE-2015-3406 CVE-2015-3407 CVE-2015-3408 CVE-2015-3409

Debian Bug : 783451

 

John Lightsey discovered multiple vulnerabilities in Module::Signature,

a Perl module to manipulate CPAN SIGNATURE files. The Common

Vulnerabilities and Exposures project identifies the following problems:

 

CVE-2015-3406

 

Module::Signature could parse the unsigned portion of the SIGNATURE

file as the signed portion due to incorrect handling of PGP signature

boundaries.

 

CVE-2015-3407

 

Module::Signature incorrectly handled files that are not listed in

the SIGNATURE file. This includes some files in the t/ directory

that would execute when tests are run.

 

CVE-2015-3408

 

Module::Signature used two argument open() calls to read the files

when generating checksums from the signed manifest. This allowed to

embed arbitrary shell commands into the SIGNATURE file that would be

executed during the signature verification process.

 

CVE-2015-3409

 

Module::Signature incorrectly handled module loading, allowing to

load modules from relative paths in ( -at -) INC. A remote attacker

providing a malicious module could use this issue to execute

arbitrary code during signature verification.

 

For the squeeze distribution, these issues have been fixed in version

0.63-1+squeeze2 of libmodule-signature-perl. Please note that the

libtest-signature-perl package was also updated for compatibility with

the CVE-2015-3407 fix.

 

We recommend that you upgrade your libmodule-signature-perl and

libtest-signature-perl packages.