Summary: | <dev-perl/Module-Signature-0.720.0: Arbitrary code execution when verifying SIGNATURE (CVE-2013-2145) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | perl |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=971096 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-06-05 16:58:17 UTC
+ 20 Aug 2013; Sergey Popov <pinkbyte@gentoo.org> + +Module-Signature-0.730.0.ebuild: + Version bump, wrt bug #472428 Arches, please test and mark stable =dev-perl/Module-Signature-0.730.0 Target keywords: amd64 x86 amd64/x86 stable Thanks for your work New GLSA request filed CVE-2013-2145 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2145): The cpansign verify functionality in the Module::Signature module before 0.72 for Perl allows attackers to bypass the signature check and execute arbitrary code via a SIGNATURE file with a "special unknown cipher" that references an untrusted module in Digest/. This issue was resolved and addressed in GLSA 201310-01 at http://security.gentoo.org/glsa/glsa-201310-01.xml by GLSA coordinator Sergey Popov (pinkbyte). |