'[oss-security] Re: CVE request: Module::Signature before 0.75 - multiple vulnerabilities'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE request: Module::Signature before 0.75 - multiple vulnerabilities
From:       cve-assign () mitre ! org
Date:       2015-04-23 12:20:03
Message-ID: 20150423122003.A1904336004 () smtpvbsrv1 ! mitre ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> This commit fixes three flaws:
> 
> https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f

> - Module::Signature could be tricked into interpreting the unsigned
> portion of a SIGNATURE file as the signed portion due to faulty parsing
> of the PGP signature boundaries.

Use CVE-2015-3406.


> - When verifying the contents of a CPAN module, Module::Signature
> ignored some files in the extracted tarball that were not listed in the
> signature file. This included some files in the t/ directory that would
> execute automatically during "make test"

Use CVE-2015-3407.


> - When generating checksums from the signed manifest, Module::Signature
> used two argument open() calls to read the files. This allowed embedding
> arbitrary shell commands into the SIGNATURE file that would execute
> during the signature verification process.

Use CVE-2015-3408.


> This commit fixes one more flaw:
> 
> https://github.com/audreyt/module-signature/commit/c41e8885b862b9fce2719449bc9336f0bea658ef
> 
> - Several modules were loaded at runtime inside the extracted module
> directory. Modules like Text::Diff are not guaranteed to be available on
> all platforms and could be added to a malicious module so that they
> would load from the '.' path in @INC.

Use CVE-2015-3409.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVOOLtAAoJEKllVAevmvmswjcIAKgDnLpQWI+oCy1HDilIRxG5
4HTYpPclTQIvWG+dC+MxwpfEWRw/iMjPrbG3V9ZUn7y34id5dfMIHkV8d8OHmKp7
yJrR6goHV5BjuonL75buXOR+G60eV7QWz3kIvJ+aar+rLR7inRCeBKAKH3gOezp4
53e+LKCyTozCytBgoog8/X8actbQ6p7DIeNapYEmm/nzCtZo4Y1QX+UkKeLzsVUA
IuqS4cLyoYotzmFGeu8g0fHaIXmpq+qk4iFRfCkSkUg60l2IQuJWXoatXiU5dva9
3y0kdnddgMBoA6XTxpv2rNJ9aH+g7Invioxt1o/dINOj3xk2Jjpb/8y+c1SClqY=
=BTz2
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic