-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3261-2 security@xxxxxxxxxx http://www.debian.org/security/ Salvatore Bonaccorso May 20, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libmodule-signature-perl Debian Bug : 785701 The update for libmodule-signature-perl issued as DSA-3261-1 introduced a regression in the handling of the --skip option of cpansign. Updated packages are now available to address this regression. For reference, the original advisory text follows. Multiple vulnerabilities were discovered in libmodule-signature-perl, a Perl module to manipulate CPAN SIGNATURE files. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2015-3406 John Lightsey discovered that Module::Signature could parses the unsigned portion of the SIGNATURE file as the signed portion due to incorrect handling of PGP signature boundaries. CVE-2015-3407 John Lightsey discovered that Module::Signature incorrectly handles files that are not listed in the SIGNATURE file. This includes some files in the t/ directory that would execute when tests are run. CVE-2015-3408 John Lightsey discovered that Module::Signature uses two argument open() calls to read the files when generating checksums from the signed manifest. This allows to embed arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. CVE-2015-3409 John Lightsey discovered that Module::Signature incorrectly handles module loading, allowing to load modules from relative paths in @INC. A remote attacker providing a malicious module could use this issue to execute arbitrary code during signature verification. For the oldstable distribution (wheezy), this problem has been fixed in version 0.68-1+deb7u3. For the stable distribution (jessie), this problem has been fixed in version 0.73-1+deb8u2. For the unstable distribution (sid), this problem has been fixed in version 0.79-1. We recommend that you upgrade your libmodule-signature-perl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVXO14AAoJEAVMuPMTQ89EAmIP/2BLQo6jaEL2pgzgMb9nPzbU zWCjxU01ZMcmaTL4HE64kF2xC/pGr4g8nH0VLIQVqOnb0/P65PjmBiesgy9T9mR7 qMlLRS/wdrMAEz18+kneTfFYqB9lJ4EWP8SlxDvsN0ArVixNdsif5DGZTDH36DKy f6dbbxIV3bMCgyuLtn4UDzScOjPNxivZOYmmrOnWl5DpHy+oahKbwsufSH7eykVG ubcVTyYVIaA2BehjtTIuBWOGR/8baL/AX55Q+iTQ0sfvw4BT3A4lN+lqEJmF5IMs pcwDou3+CVWAF2ADw/ftG7f4Ds8j8mMe/7sEzjvBnm9C7YrHC1dDo2w2VIIUleFs KbdYMex6ldVy/eh5yAJc4tl0s6QWTonHQJiyMyC7pI6iaHeUPDCICA83iQlV8SyV aR0vCi7mrkupDQqu9gG6Hs6YzeyY0kDxTE8qu7W4BklAF6NCWp75PkrW3ieMsIZg nvlIFfFn1k+n4kR9G0elgPSl8yw/dzhyStQlBl1HauF4ibAspG9ppu7iss4CqHf+ VHz27nfl/ry23BcMXCPzMTfv4f9nCEA34YAB3tDBuMlDD56WAMDHRNCR6QkKwTs1 D4ffp/QubTx3Ijom0g2aF/5zWn9ez6z9j0BqWGExqgVqkRyC8veaiRxhF7+YwSge VwA3wV8gWC3gkYYZ8M97 =wjQy -----END PGP SIGNATURE-----
