[Bug 1209918] New: perl-Module-Signature: arbitrary modules loading in some circumstances
bugzilla at redhat.com
bugzilla at redhat.com
Wed Apr 8 12:53:01 UTC 2015
https://bugzilla.redhat.com/show_bug.cgi?id=1209918
Bug ID: 1209918
Summary: perl-Module-Signature: arbitrary modules loading in
some circumstances
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team at redhat.com
Reporter: vkaigoro at redhat.com
CC: paul at city-fan.org, perl-devel at lists.fedoraproject.org,
perl-maint-list at redhat.com, pertusus at free.fr
Module::Signature before version 0.75 has been loading several modules at
runtime inside the extracted module directory. Modules like Text::Diff are not
guaranteed to be available on all platforms and could be added to a malicious
module so that they would load from the '.' path in @INC.
Upstream fix:
https://github.com/audreyt/module-signature/commit/c41e8885b862b9fce2719449bc9336f0bea658ef
CVE request: http://seclists.org/oss-sec/2015/q2/59
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the perl-devel
mailing list