[Bug 1209917] New: perl-Module-Signature: arbitrary code execution when verifying module signatures
bugzilla at redhat.com
bugzilla at redhat.com
Wed Apr 8 12:51:02 UTC 2015
https://bugzilla.redhat.com/show_bug.cgi?id=1209917
Bug ID: 1209917
Summary: perl-Module-Signature: arbitrary code execution when
verifying module signatures
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team at redhat.com
Reporter: vkaigoro at redhat.com
CC: paul at city-fan.org, perl-devel at lists.fedoraproject.org,
perl-maint-list at redhat.com, pertusus at free.fr
Module::Signature before version 0.75 used two argument open() calls to read
the files when generating checksums from the signed manifest. This allowed
embedding arbitrary shell commands into the SIGNATURE file that would execute
during the signature verification process.
Upstream fix:
https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f
CVE request: http://seclists.org/oss-sec/2015/q2/59
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the perl-devel
mailing list