[libmodule-signature-perl] 01/01: Imported Debian patch 0.63-1+squeeze2
Salvatore Bonaccorso
carnil at debian.org
Wed Jul 1 12:18:28 UTC 2015
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch squeeze-lts
in repository libmodule-signature-perl.
commit dc9e2d17c8b2ab813479725de56b85870cfde32a
Merge: f3c139b 7340d85
Author: Santiago Ruano Rincón <santiagorr at riseup.net>
Date: Wed Jul 1 12:20:06 2015 +0200
Imported Debian patch 0.63-1+squeeze2
debian/changelog | 22 +++++++++++++
...CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch | 36 ++++++++++++++--------
debian/patches/CVE-2015-3409.patch | 2 +-
3 files changed, 47 insertions(+), 13 deletions(-)
diff --cc debian/changelog
index 9e4b80f,0000000..f95e9fd
mode 100644,000000..100644
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,150 -1,0 +1,172 @@@
++libmodule-signature-perl (0.63-1+squeeze2) squeeze-lts; urgency=medium
++
++ * Non-maintainer upload by the Squeeze LTS team.
++ * Add CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch.
++ CVE-2015-3406: Module::Signature parses the unsigned portion of the
++ SIGNATURE file as the signed portion due to incorrect handling of PGP
++ signature boundaries.
++ CVE-2015-3407: Module::Signature incorrectly handles files that are not
++ listed in the SIGNATURE file. This includes some files in the t/
++ directory that would execute when tests are run.
++ CVE-2015-3408: Module::Signature uses two argument open() calls to read
++ the files when generating checksums from the signed manifest, allowing
++ to embed arbitrary shell commands into the SIGNATURE file that would
++ execute during the signature verification process.
++ * Add CVE-2015-3409.patch.
++ CVE-2015-3409: Module::Signature incorrectly handles module loading
++ allowing to load modules from relative paths in @INC. A remote attacker
++ providing a malicious module could use this issue to execute arbitrary
++ code during signature verification.
++
++ -- Santiago Ruano Rincón <santiagorr at riseup.net> Wed, 01 Jul 2015 12:20:06 +0200
++
+libmodule-signature-perl (0.63-1+squeeze1) squeeze; urgency=low
+
+ * Team upload.
+ * Add CVE-2013-2145.patch.
+ CVE-2013-2145: Fixes arbitrary code execution when verifying SIGNATURE.
+ (Closes: #711239)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Tue, 18 Jun 2013 23:25:09 +0200
+
+libmodule-signature-perl (0.63-1) unstable; urgency=low
+
+ [ Jonathan Yu ]
+ * New upstream release
+ * No longer needs --with quilt
+ * Update copyright information
+
+ [ Krzysztof Krzyżaniak (eloy) ]
+ * New upstream release
+ * debian/control: update Standards-Version to 3.8.4 without any changes
+ * debian/copyright: update dates
+ * debian/source/format: created with value "3.0 (quilt)"
+ * debian/README.source removed since new package type
+ * debian/patches: removed, fixed upstream
+
+ -- Jonathan Yu <jawnsy at cpan.org> Wed, 07 Apr 2010 12:14:53 -0400
+
+libmodule-signature-perl (0.61-1) unstable; urgency=low
+
+ [ Jonathan Yu ]
+ * New upstream release
+ * Use new short debhelper rules format
+ * Add myself to Uploaders and Copyright
+ * Rewrite control description
+ * Update copyright information (we're now using CC0)
+ * Upgrade to debhelper 7.2.13 (for Module::AutoInstall)
+ * Refresh keyserver.patch; add header
+ * Remove unnecessary build dependencies
+
+ [ gregor herrmann ]
+ * Add debian/README.source to document quilt usage, as required by
+ Debian Policy since 3.8.0.
+ * debian/control: Changed: Switched Vcs-Browser field to ViewSVN
+ (source stanza).
+ * debian/control: Added: ${misc:Depends} to Depends: field.
+ * Change my email address.
+
+ [ Nathan Handler ]
+ * debian/watch: Update to ignore development releases.
+
+ -- Jonathan Yu <jawnsy at cpan.org> Mon, 30 Nov 2009 15:57:30 -0500
+
+libmodule-signature-perl (0.55-2) unstable; urgency=low
+
+ * debian/control: Added: Vcs-Svn field (source stanza); Vcs-Browser
+ field (source stanza); Homepage field (source stanza). Removed: XS-
+ Vcs-Svn fields.
+ * debian/rules:
+ - delete /usr/lib/perl5 only if it exists (closes: #467870)
+ - update based on dh-make-perl's templates
+ - don't install README any more (no additional information)
+ * debian/watch: use dist-based URL.
+ * Set Standards-Version to 3.7.3 (no changes).
+ * Add debian/compat instead of setting DH_COMPAT in debian/rules.
+ * debian/copyright: add download URL and copy copyright/license terms
+ verbatim from README to match reality.
+ * Split the changes regarding the default keyserver (cf. #293080) out to
+ keyserver.patch; and don't change the keyserver only in the test (which
+ isn't actually run because it would fail due to the patch -- d'oh) but
+ also in the module (and it's documentation) itself, which was the
+ intention of the bug submitter ... Add quilt framework.
+
+ -- gregor herrmann <gregor+debian at comodo.priv.at> Sun, 09 Mar 2008 00:16:07 +0100
+
+libmodule-signature-perl (0.55-1) unstable; urgency=low
+
+ * New upstream release
+ * debian/control:
+ + Standards-Version: increased to 3.7.2.1
+
+ -- Krzysztof Krzyzaniak (eloy) <eloy at debian.org> Wed, 2 Aug 2006 16:13:43 +0200
+
+libmodule-signature-perl (0.54-1) unstable; urgency=low
+
+ * New upstream release.
+ * Standard-Version upgraded to 3.7.2 (no changes needed).
+ * Debhelper compatibility level upgraded to 5.
+ * Move several dependencies to Build-Depends-Indep, as required by Policy.
+ * Remove empty /usr/lib/perl5 directory from package.
+
+ -- gregor herrmann <gregor+debian at comodo.priv.at> Sun, 14 May 2006 01:45:03 +0200
+
+libmodule-signature-perl (0.53-1) unstable; urgency=low
+
+ * New upstream release, taking package for Perl Group
+ (closes: #329595) (closes: #357075)
+ * debian/watch - added
+ * debian/control:
+ - Standards-Version: upgraded to 3.6.2
+ - Uploaders: added me
+ - Maintainer: set to Debian Perl Group <pkg-perl-maintainers at lists.alioth.debian.org>
+ - libdigest-sha-perl added to dependencies
+ * debian/rules:
+ - compat increased to 4
+ - added PERL_MM_USE_DEFAULT=1
+
+ -- Krzysztof Krzyzaniak (eloy) <eloy at debian.org> Wed, 15 Mar 2006 17:18:22 +0100
+
+libmodule-signature-perl (0.44-3) unstable; urgency=low
+
+ * Re-upload with full source, as the 0.44-1 upload was borked so the
+ 0.44-2 upload was refused.
+
+ -- Chip Salzenberg <chip at debian.org> Fri, 8 Apr 2005 18:28:23 -0400
+
+libmodule-signature-perl (0.44-2) unstable; urgency=low
+
+ * Default to 'subkeys.pgp.net', not 'pgp.mit.edu'. (closes: #293080)
+ * Clean up dependencies.
+
+ -- Chip Salzenberg <chip at debian.org> Fri, 8 Apr 2005 17:42:20 -0400
+
+libmodule-signature-perl (0.44-1) unstable; urgency=medium
+
+ * New upstream release.
+
+ -- Chip Salzenberg <chip at debian.org> Tue, 8 Mar 2005 12:43:12 -0500
+
+libmodule-signature-perl (0.35-2) unstable; urgency=high
+
+ * Fix Build-Depends by deleting my hacked dpkg-source.
+
+ -- Chip Salzenberg <chip at debian.org> Sun, 5 Oct 2003 21:45:16 -0400
+
+libmodule-signature-perl (0.35-1) unstable; urgency=low
+
+ * New upstream release.
+
+ -- Chip Salzenberg <chip at debian.org> Fri, 3 Oct 2003 19:30:47 -0400
+
+libmodule-signature-perl (0.26-1) unstable; urgency=low
+
+ * New upstream release.
+
+ -- Chip Salzenberg <chip at debian.org> Thu, 24 Jul 2003 18:12:17 -0400
+
+libmodule-signature-perl (0.21-1) unstable; urgency=low
+
+ * Initial Release.
+
+ -- Chip Salzenberg <chip at debian.org> Sat, 15 Feb 2003 15:18:20 -0500
diff --cc debian/patches/CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch
index 7af1eab,0000000..abc5b02
mode 100644,000000..100644
--- a/debian/patches/CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch
+++ b/debian/patches/CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch
@@@ -1,187 -1,0 +1,199 @@@
+Description: Fix CVE-2015-3406, CVE-2015-3407 and CVE-2015-3408
+ CVE-2015-3406: Module::Signature parses the unsigned portion of the
+ SIGNATURE file as the signed portion due to incorrect handling of PGP
+ signature boundaries.
+ .
+ CVE-2015-3407: Module::Signature incorrectly handles files that are not
+ listed in the SIGNATURE file. This includes some files in the t/
+ directory that would execute when tests are run.
+ .
+ CVE-2015-3408: Module::Signature uses two argument open() calls to read
+ the files when generating checksums from the signed manifest, allowing
+ to embed arbitrary shell commands into the SIGNATURE file that would
+ execute during the signature verification process.
+Origin: upstream, https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f
+Bug-Debian: https://bugs.debian.org/783451
+Forwarded: not-needed
+Author: Audrey Tang <audreyt at audreyt.org>
+Reviewed-by: Salvatore Bonaccorso <carnil at debian.org>
- Last-Update: 2015-05-12
++Reviewed-by: Santiago Ruano Rincón <santiagorr at riseup.net>
++Last-Update: 2015-06-30
+Applied-Upstream: 0.75
+
+--- a/Makefile.PL
++++ b/Makefile.PL
+@@ -9,6 +9,7 @@
+ repository 'http://github.com/audreyt/module-signature';
+ install_script 'script/cpansign';
+ build_requires 'Test::More';
++requires 'File::Temp';
+
+ # On Win32 (excluding cygwin) we know that IO::Socket::INET,
+ # which is needed for keyserver stuff, doesn't work. In fact
+--- a/lib/Module/Signature.pm
++++ b/lib/Module/Signature.pm
- @@ -52,8 +52,20 @@
++@@ -52,8 +52,22 @@
+ $AutoKeyRetrieve = 1;
+ $CanKeyRetrieve = undef;
+
++sub _cipher_map {
++ my($sigtext) = @_;
++ my @lines = split /\015?\012/, $sigtext;
++ my %map;
++ for my $line (@lines) {
+++ last if $line eq '-----BEGIN PGP SIGNATURE-----';
+++ next if $line =~ /^---/ .. $line eq '';
++ my($cipher,$digest,$file) = split " ", $line, 3;
++ return unless defined $file;
++ $map{$file} = [$cipher, $digest];
++ }
++ return \%map;
++}
++
+ sub verify {
+- my %args = ( skip => 1, @_ );
++ my %args = ( @_ );
+ my $rv;
+
+ (-r $SIGNATURE) or do {
- @@ -66,7 +78,7 @@
++@@ -66,7 +80,7 @@
+ return SIGNATURE_MALFORMED;
+ };
+
+- (my ($cipher) = ($sigtext =~ /^(\w+) /)) or do {
++ (my ($cipher) = _cipher_map($sigtext)) or do {
+ warn "==> MALFORMED Signature file! <==\n";
+ return SIGNATURE_MALFORMED;
+ };
- @@ -160,6 +172,11 @@
++@@ -160,6 +174,11 @@
+ ($mani, $file) = ExtUtils::Manifest::fullcheck();
+ }
+ else {
++ my $_maniskip = &ExtUtils::Manifest::maniskip;
++ local *ExtUtils::Manifest::maniskip = sub { sub {
++ return unless $skip;
++ return $_maniskip->(@_);
++ } };
+ ($mani, $file) = ExtUtils::Manifest::fullcheck();
+ }
+
- @@ -199,6 +216,11 @@
++@@ -199,6 +218,11 @@
+
+ my $keyserver = _keyserver($version);
+
++ require File::Temp;
++ my $fh = File::Temp->new();
++ print $fh $sigtext;
++ close $fh;
++
+ my @quiet = $Verbose ? () : qw(-q --logger-fd=1);
+ my @cmd = (
+ qw(gpg --verify --batch --no-tty), @quiet, ($KeyServer ? (
- @@ -206,7 +228,7 @@
++@@ -206,7 +230,7 @@
+ ($AutoKeyRetrieve and $version ge '1.0.7')
+ ? '--keyserver-options=auto-key-retrieve'
+ : ()
+- ) : ()), $SIGNATURE
++ ) : ()), $fh->filename
+ );
+
+ my $output = '';
- @@ -218,6 +240,7 @@
++@@ -218,6 +242,7 @@
+ my $cmd = join ' ', @cmd;
+ $output = `$cmd`;
+ }
++ unlink $fh->filename;
+
+ if( $? ) {
+ print STDERR $output;
- @@ -246,7 +269,7 @@
++@@ -246,7 +271,7 @@
+ my $pgp = Crypt::OpenPGP->new(
+ ($KeyServer) ? ( KeyServer => $KeyServer, AutoKeyRetrieve => $AutoKeyRetrieve ) : (),
+ );
+- my $rv = $pgp->handle( Filename => $SIGNATURE )
++ my $rv = $pgp->handle( Data => $sigtext )
+ or die $pgp->errstr;
+
+ return SIGNATURE_BAD if (!$rv->{Validity} and $AutoKeyRetrieve);
- @@ -269,32 +292,35 @@
++@@ -269,32 +294,35 @@
+ my $well_formed;
+
+ local *D;
+- open D, $sigfile or die "Could not open $sigfile: $!";
++ open D, "< $sigfile" or die "Could not open $sigfile: $!";
+
+ if ($] >= 5.006 and <D> =~ /\r/) {
+ close D;
+- open D, $sigfile or die "Could not open $sigfile: $!";
++ open D, '<', $sigfile or die "Could not open $sigfile: $!";
+ binmode D, ':crlf';
+ } else {
+ close D;
+- open D, $sigfile or die "Could not open $sigfile: $!";
++ open D, "< $sigfile" or die "Could not open $sigfile: $!";
+ }
+
++ my $begin = "-----BEGIN PGP SIGNED MESSAGE-----\n";
++ my $end = "-----END PGP SIGNATURE-----\n";
+ while (<D>) {
+- next if (1 .. /^-----BEGIN PGP SIGNED MESSAGE-----/);
+- last if /^-----BEGIN PGP SIGNATURE/;
+-
++ next if (1 .. ($_ eq $begin));
+ $signature .= $_;
++ return "$begin$signature" if $_ eq $end;
+ }
+
+- return ((split(/\n+/, $signature, 2))[1]);
++ return;
+ }
+
+ sub _compare {
+ my ($str1, $str2, $ok) = @_;
+
+ # normalize all linebreaks
++ $str1 =~ s/^-----BEGIN PGP SIGNED MESSAGE-----\n(?:.+\n)*\n//;
+ $str1 =~ s/[^\S ]+/\n/g; $str2 =~ s/[^\S ]+/\n/g;
++ $str1 =~ s/-----BEGIN PGP SIGNATURE-----\n(?:.+\n)*$//;
+
+ return $ok if $str1 eq $str2;
+
- @@ -305,7 +331,7 @@
++@@ -305,7 +333,7 @@
+ }
+ else {
+ local (*D, *S);
+- open S, $SIGNATURE or die "Could not open $SIGNATURE: $!";
++ open S, "< $SIGNATURE" or die "Could not open $SIGNATURE: $!";
+ open D, "| diff -u $SIGNATURE -" or (warn "Could not call diff: $!", return SIGNATURE_MISMATCH);
+ while (<S>) {
+ print D $_ if (1 .. /^-----BEGIN PGP SIGNED MESSAGE-----/);
- @@ -368,9 +394,9 @@
++@@ -368,9 +396,9 @@
+ die "Cannot find $sigfile.tmp, signing aborted.\n";
+ };
+
+- open D, "$sigfile.tmp" or die "Cannot open $sigfile.tmp: $!";
++ open D, "< $sigfile.tmp" or die "Cannot open $sigfile.tmp: $!";
+
+- open S, ">$sigfile" or do {
++ open S, "> $sigfile" or do {
+ unlink "$sigfile.tmp";
+ die "Could not write to $sigfile: $!";
+ };
- @@ -531,7 +557,7 @@
++@@ -492,7 +520,7 @@
++
++ sub _mkdigest_files {
++ my $p = shift;
++- my $algorithm = shift || $Cipher;
+++ my $algorithm = $Cipher;
++ my $dosnames = (defined(&Dos::UseLFN) && Dos::UseLFN()==0);
++ my $read = ExtUtils::Manifest::maniread() || {};
++ my $found = ExtUtils::Manifest::manifind($p);
++@@ -531,7 +559,7 @@
+ }
+ else {
+ local *F;
+- open F, $file or die "Cannot open $file for reading: $!";
++ open F, "< $file" or die "Cannot open $file for reading: $!";
+ if (-B $file) {
+ binmode(F);
+ $obj->addfile(*F);
diff --cc debian/patches/CVE-2015-3409.patch
index f02cbec,0000000..300ee16
mode 100644,000000..100644
--- a/debian/patches/CVE-2015-3409.patch
+++ b/debian/patches/CVE-2015-3409.patch
@@@ -1,24 -1,0 +1,24 @@@
+Description: Fix CVE-2015-3409
+ CVE-2015-3409: Module::Signature incorrectly handles module loading
+ allowing to load modules from relative paths in @INC. A remote attacker
+ providing a malicious module could use this issue to execute arbitrary
+ code during signature verification.
+Origin: upstream, https://github.com/audreyt/module-signature/commit/c41e8885b862b9fce2719449bc9336f0bea658ef
+Bug-Debian: https://bugs.debian.org/783451
+Forwarded: not-needed
+Author: Audrey Tang <audreyt at audreyt.org>
+Reviewed-by: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2015-05-12
+Applied-Upstream: 0.75
+
+--- a/lib/Module/Signature.pm
++++ b/lib/Module/Signature.pm
- @@ -116,6 +116,8 @@
++@@ -104,6 +104,8 @@
+ my $sigtext = shift || '';
+ my $plaintext = shift || '';
+
++ # Avoid loading modules from relative paths in @INC.
++ local @INC = grep { File::Spec->file_name_is_absolute($_) } @INC;
+ local $SIGNATURE = $signature if $signature ne $SIGNATURE;
+
+ if ($AutoKeyRetrieve and !$CanKeyRetrieve) {
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libmodule-signature-perl.git
More information about the Pkg-perl-cvs-commits
mailing list