From ${URL} : A new version of Module::Signature, was released to fix multiple vulnerabilities. Module::Signature is used by most CPAN clients to validate PAUSE GPG signature files on the CPAN mirrors and GPG signature files inside individual Perl module tarballs. The changelog for the 0.75 version is here: https://metacpan.org/changes/distribution/Module-Signature This commit fixes three flaws: https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f - Module::Signature could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries. - When verifying the contents of a CPAN module, Module::Signature ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would execute automatically during "make test" - When generating checksums from the signed manifest, Module::Signature used two argument open() calls to read the files. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. This commit fixes one more flaw: https://github.com/audreyt/module-signature/commit/c41e8885b862b9fce2719449bc9336f0bea658ef - Several modules were loaded at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a malicious module so that they would load from the '.' path in @INC. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
+*Module-Signature-0.770.0 (08 Apr 2015) + + 08 Apr 2015; Patrice Clement <monsieurp@gentoo.org> + +Module-Signature-0.770.0.ebuild: + Version bump to 0.77. Fix security bug 545946. Not sure about stabilising the package. Let's wait for someone else to sign off on it (dilfridge/zlogene?).
CVE-2015-3409 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3409): Untrusted search path vulnerability in Module::Signature before 0.75 allows local users to gain privileges via a Trojan horse module under the current working directory, as demonstrated by a Trojan horse Text::Diff module. CVE-2015-3408 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3408): Module::Signature before 0.74 allows remote attackers to execute arbitrary shell commands via a crafted SIGNATURE file which is not properly handled when generating checksums from a signed manifest. CVE-2015-3407 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3407): Module::Signature before 0.74 allows remote attackers to bypass signature verification for files via a signature file that does not list the files.
Arch teams, Please stabilise: =dev-perl/Module-Signature-0.770.0 Target arches: amd64 x86 Thanks.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
+ 15 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + -Module-Signature-0.730.0.ebuild: + Remove old. +
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No
GLSA vote: no.