Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 545946 (CVE-2015-3406) - <dev-perl/Module-Signature-0.770.0: multiple vulnerabilities (CVE-2015-{3406,3407,3408,3409})
Summary: <dev-perl/Module-Signature-0.770.0: multiple vulnerabilities (CVE-2015-{3406,...
Status: RESOLVED FIXED
Alias: CVE-2015-3406
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-08 10:03 UTC by Agostino Sarubbo
Modified: 2015-06-16 10:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-04-08 10:03:04 UTC
From ${URL} :

A new version of Module::Signature, was released to fix multiple
vulnerabilities. Module::Signature is used by most CPAN clients to
validate PAUSE GPG signature files on the CPAN mirrors and GPG signature
files inside individual Perl module tarballs.

The changelog for the 0.75 version is here:

https://metacpan.org/changes/distribution/Module-Signature

This commit fixes three flaws:

https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f

- Module::Signature could be tricked into interpreting the unsigned
portion of a SIGNATURE file as the signed portion due to faulty parsing
of the PGP signature boundaries.

- When verifying the contents of a CPAN module, Module::Signature
ignored some files in the extracted tarball that were not listed in the
signature file. This included some files in the t/ directory that would
execute automatically during "make test"

- When generating checksums from the signed manifest, Module::Signature
used two argument open() calls to read the files. This allowed embedding
arbitrary shell commands into the SIGNATURE file that would execute
during the signature verification process.

This commit fixes one more flaw:

https://github.com/audreyt/module-signature/commit/c41e8885b862b9fce2719449bc9336f0bea658ef

- Several modules were loaded at runtime inside the extracted module
directory. Modules like Text::Diff are not guaranteed to be available on
all platforms and could be added to a malicious module so that they
would load from the '.' path in @INC.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Patrice Clement gentoo-dev 2015-04-08 15:41:51 UTC
+*Module-Signature-0.770.0 (08 Apr 2015)
+
+  08 Apr 2015; Patrice Clement <monsieurp@gentoo.org>
+  +Module-Signature-0.770.0.ebuild:
+  Version bump to 0.77. Fix security bug 545946.

Not sure about stabilising the package. Let's wait for someone else to sign off on it (dilfridge/zlogene?).
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 20:25:29 UTC
CVE-2015-3409 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3409):
  Untrusted search path vulnerability in Module::Signature before 0.75 allows
  local users to gain privileges via a Trojan horse module under the current
  working directory, as demonstrated by a Trojan horse Text::Diff module.

CVE-2015-3408 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3408):
  Module::Signature before 0.74 allows remote attackers to execute arbitrary
  shell commands via a crafted SIGNATURE file which is not properly handled
  when generating checksums from a signed manifest.

CVE-2015-3407 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3407):
  Module::Signature before 0.74 allows remote attackers to bypass signature
  verification for files via a signature file that does not list the files.
Comment 3 Patrice Clement gentoo-dev 2015-06-14 22:49:45 UTC
Arch teams,

Please stabilise:
=dev-perl/Module-Signature-0.770.0

Target arches:
amd64 x86

Thanks.
Comment 4 Agostino Sarubbo gentoo-dev 2015-06-15 08:12:05 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-06-15 08:13:02 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Patrice Clement gentoo-dev 2015-06-15 08:21:15 UTC
+  15 Jun 2015; Patrice Clement <monsieurp@gentoo.org>
+  -Module-Signature-0.730.0.ebuild:
+  Remove old.
+
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2015-06-16 03:07:40 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-06-16 10:39:50 UTC
GLSA vote: no.