[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: CVE request: Module::Signature before 0.75 - multiple vulnerabilities
From: cve-assign () mitre ! org
Date: 2015-04-23 12:20:03
Message-ID: 20150423122003.A1904336004 () smtpvbsrv1 ! mitre ! org
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> This commit fixes three flaws:
>
> https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f
> - Module::Signature could be tricked into interpreting the unsigned
> portion of a SIGNATURE file as the signed portion due to faulty parsing
> of the PGP signature boundaries.
Use CVE-2015-3406.
> - When verifying the contents of a CPAN module, Module::Signature
> ignored some files in the extracted tarball that were not listed in the
> signature file. This included some files in the t/ directory that would
> execute automatically during "make test"
Use CVE-2015-3407.
> - When generating checksums from the signed manifest, Module::Signature
> used two argument open() calls to read the files. This allowed embedding
> arbitrary shell commands into the SIGNATURE file that would execute
> during the signature verification process.
Use CVE-2015-3408.
> This commit fixes one more flaw:
>
> https://github.com/audreyt/module-signature/commit/c41e8885b862b9fce2719449bc9336f0bea658ef
>
> - Several modules were loaded at runtime inside the extracted module
> directory. Modules like Text::Diff are not guaranteed to be available on
> all platforms and could be added to a malicious module so that they
> would load from the '.' path in @INC.
Use CVE-2015-3409.
- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)
iQEcBAEBAgAGBQJVOOLtAAoJEKllVAevmvmswjcIAKgDnLpQWI+oCy1HDilIRxG5
4HTYpPclTQIvWG+dC+MxwpfEWRw/iMjPrbG3V9ZUn7y34id5dfMIHkV8d8OHmKp7
yJrR6goHV5BjuonL75buXOR+G60eV7QWz3kIvJ+aar+rLR7inRCeBKAKH3gOezp4
53e+LKCyTozCytBgoog8/X8actbQ6p7DIeNapYEmm/nzCtZo4Y1QX+UkKeLzsVUA
IuqS4cLyoYotzmFGeu8g0fHaIXmpq+qk4iFRfCkSkUg60l2IQuJWXoatXiU5dva9
3y0kdnddgMBoA6XTxpv2rNJ9aH+g7Invioxt1o/dINOj3xk2Jjpb/8y+c1SClqY=
=BTz2
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic