From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 5645E1381F3 for ; Fri, 4 Oct 2013 06:58:52 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D56FCE09B0; Fri, 4 Oct 2013 06:58:51 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 79BB8E09B0 for ; Fri, 4 Oct 2013 06:58:51 +0000 (UTC) Received: from flycatcher.gentoo.org (flycatcher.gentoo.org [81.93.255.6]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 9641F33EF64 for ; Fri, 4 Oct 2013 06:58:50 +0000 (UTC) Received: by flycatcher.gentoo.org (Postfix, from userid 2329) id 59BB22004C; Fri, 4 Oct 2013 06:58:49 +0000 (UTC) From: "Sergey Popov (pinkbyte)" To: gentoo-commits@lists.gentoo.org Reply-To: gentoo-dev@lists.gentoo.org, pinkbyte@gentoo.org Subject: [gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-201310-01.xml X-VCS-Repository: gentoo X-VCS-Files: glsa-201310-01.xml X-VCS-Directories: xml/htdocs/security/en/glsa X-VCS-Committer: pinkbyte X-VCS-Committer-Name: Sergey Popov Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Message-Id: <20131004065849.59BB22004C@flycatcher.gentoo.org> Date: Fri, 4 Oct 2013 06:58:49 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 53ad5b97-4e79-4d4f-96b2-f03a5a23b053 X-Archives-Hash: 5e3f8018c4bbd083b933886f1cc92aa9 pinkbyte 13/10/04 06:58:49 Added: glsa-201310-01.xml Log: GLSA 201310-01 Revision Changes Path 1.1 xml/htdocs/security/en/glsa/glsa-201310-01.xml file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201310-01.xml?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201310-01.xml?rev=1.1&content-type=text/plain Index: glsa-201310-01.xml =================================================================== Perl Module-Signature module: Arbitrary code execution The Module-Signature module for Perl has insufficient path checks, allowing a remote attacker to execute arbitrary Perl code. Module-Signature October 04, 2013 October 04, 2013: 1 472428 remote 0.720.0 0.720.0

The Perl Module::Signature module adds signing capabilities to CPAN modules.

The ‘cpansign verify’ command will automatically download keys and use them to check the signature of CPAN packages via the SIGNATURE file. If an attacker were to replace this (SHA1) with a special unknown cipher (e.g. ‘Special’) and were to include in the distribution a ‘Digest/Special.pm’, the code in this Perl module would be executed when ‘cpansign -verify’ is run.

A remote attacker could possibly execute arbitrary code with the privileges of the process.

There is no known workaround at this time.

All users of the Module-Signature Perl module should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=dev-perl/Module-Signature-0.720.0" CVE-2013-2145 pinkbyte pinkbyte