[libmodule-metadata-perl] 01/03: Add CVE-2013-1437-documentation-fix.patch patch

Salvatore Bonaccorso carnil at debian.org
Tue Sep 3 18:44:57 UTC 2013 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch wheezy
in repository libmodule-metadata-perl.

commit e4a18d075b7e209e8df3bd071ea20ee3d833b747
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Tue Sep 3 19:23:35 2013 +0200

    Add CVE-2013-1437-documentation-fix.patch patch
    
    Addresses CVE-2013-1437 as (serious) documentation bug: Module::Metadata
    executes code when gathering metadata about a module by design. In
    versions previous to 1.000015 the documentation stated, however, that
    Module::Metadata provides a standard way to gather metadata about a .pm
    file without executing unsafe code.
---
 .../patches/CVE-2013-1437-documentation-fix.patch  |   28 ++++++++++++++++++++
 debian/patches/series                              |    1 +
 2 files changed, 29 insertions(+)

diff --git a/debian/patches/CVE-2013-1437-documentation-fix.patch b/debian/patches/CVE-2013-1437-documentation-fix.patch
new file mode 100644
index 0000000..80ee71a
--- /dev/null
+++ b/debian/patches/CVE-2013-1437-documentation-fix.patch
@@ -0,0 +1,28 @@
+Description: Fix serious documentation bug aboute statement of execution of unsafe code
+ Addresses CVE-2013-1437 as (serious) documentation bug:
+ Module::Metadata executes code when gathering metadata about a module
+ by design. In versions previous to (upstream) 1.000015 the
+ documentation stated, however, that Module::Metadata provides a
+ standard way to gather metadata about a .pm file without executing
+ unsafe code.
+Origin: upstream, http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=p5sagit/Module-Metadata.git;a=commitdiff;h=c0278e58ecbced5d852526c1c5d088c8df6ba618
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2013-09-03
+Applied-Upstream: 1.000015
+
+--- a/lib/Module/Metadata.pm
++++ b/lib/Module/Metadata.pm
+@@ -719,8 +719,10 @@
+ 
+ =head1 DESCRIPTION
+ 
+-This module provides a standard way to gather metadata about a .pm file
+-without executing unsafe code.
++This module provides a standard way to gather metadata about a .pm file through
++(mostly) static analysis and (some) code execution.  When determining the
++version of a module, the C<$VERSION> assignment is C<eval>ed, as is traditional
++in the CPAN toolchain.
+ 
+ =head1 USAGE
+ 
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..91b8600
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2013-1437-documentation-fix.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libmodule-metadata-perl.git

More information about the Pkg-perl-cvs-commits mailing list