Bug#644108: marked as done (unsafe use of eval in Digest->new())

Debian Bug Tracking System Tue, 20 Dec 2011 23:57:29 -0800

Your message dated Wed, 21 Dec 2011 07:55:45 +0000
with message-id <[email protected]>
and subject line Bug#644108: fixed in perl 5.10.1-17squeeze3
has caused the Debian Bug report #644108,
regarding unsafe use of eval in Digest->new()
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
644108: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644108
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: perl
Version: 5.10.0-19
Severity: grave
Tags: security upstream

Hi,

the last upstream release of libdigest-perl (1.17) contains a fix for an
unsafe use of eval: the argument to Digest->new($algo) was not checked
properly allowing code injection (in case the value can be changed by
the attacker).

This also affects perl as the module is included in perl-base.

I have attached the update for libdigest-perl I prepared for squeeze
which only contains the relevant fix.

Regards,
Ansgar

diff -u libdigest-perl-1.16/debian/changelog libdigest-perl-1.16/debian/changelog
--- libdigest-perl-1.16/debian/changelog
+++ libdigest-perl-1.16/debian/changelog
@@ -1,3 +1,9 @@
+libdigest-perl (1.16-1+squeeze1) UNRELEASED; urgency=low
+
+  * Fix unsafe use of eval in Digest->new().
+
+ -- Ansgar Burchardt <[email protected]>  Sun, 02 Oct 2011 23:20:11 +0200
+
 libdigest-perl (1.16-1) unstable; urgency=low
 
   [ gregor herrmann ]
only in patch2:
unchanged:
--- libdigest-perl-1.16.orig/Digest.pm
+++ libdigest-perl-1.16/Digest.pm
@@ -24,7 +24,7 @@
     shift;  # class ignored
     my $algorithm = shift;
     my $impl = $MMAP{$algorithm} || do {
-	$algorithm =~ s/\W+//;
+	$algorithm =~ s/\W+//g;
 	"Digest::$algorithm";
     };
     $impl = [$impl] unless ref($impl);
@@ -35,7 +35,9 @@
 	($class, @args) = @$class if ref($class);
 	no strict 'refs';
 	unless (exists ${"$class\::"}{"VERSION"}) {
-	    eval "require $class";
+	    my $pm_file = $class . ".pm";
+	    $pm_file =~ s{::}{/}g;
+	    eval { require $pm_file };
 	    if ($@) {
 		$err ||= $@;
 		next;
only in patch2:
unchanged:
--- libdigest-perl-1.16.orig/t/security.t
+++ libdigest-perl-1.16/t/security.t
@@ -0,0 +1,14 @@
+#!/usr/bin/env perl
+
+# Digest->new() had an exploitable eval
+
+use strict;
+use warnings;
+
+use Test::More tests => 1;
+
+use Digest;
+
+$LOL::PWNED = 0;
+eval { Digest->new(q[MD;5;$LOL::PWNED = 42]) };
+is $LOL::PWNED, 0;

--- End Message ---

--- Begin Message ---

Source: perl
Source-Version: 5.10.1-17squeeze3

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.10.1-17squeeze3_all.deb
  to main/p/perl/libcgi-fast-perl_5.10.1-17squeeze3_all.deb
libperl-dev_5.10.1-17squeeze3_i386.deb
  to main/p/perl/libperl-dev_5.10.1-17squeeze3_i386.deb
libperl5.10_5.10.1-17squeeze3_i386.deb
  to main/p/perl/libperl5.10_5.10.1-17squeeze3_i386.deb
perl-base_5.10.1-17squeeze3_i386.deb
  to main/p/perl/perl-base_5.10.1-17squeeze3_i386.deb
perl-debug_5.10.1-17squeeze3_i386.deb
  to main/p/perl/perl-debug_5.10.1-17squeeze3_i386.deb
perl-doc_5.10.1-17squeeze3_all.deb
  to main/p/perl/perl-doc_5.10.1-17squeeze3_all.deb
perl-modules_5.10.1-17squeeze3_all.deb
  to main/p/perl/perl-modules_5.10.1-17squeeze3_all.deb
perl-suid_5.10.1-17squeeze3_i386.deb
  to main/p/perl/perl-suid_5.10.1-17squeeze3_i386.deb
perl_5.10.1-17squeeze3.debian.tar.gz
  to main/p/perl/perl_5.10.1-17squeeze3.debian.tar.gz
perl_5.10.1-17squeeze3.dsc
  to main/p/perl/perl_5.10.1-17squeeze3.dsc
perl_5.10.1-17squeeze3_i386.deb
  to main/p/perl/perl_5.10.1-17squeeze3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <[email protected]> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 20 Dec 2011 20:01:23 +0000
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug perl-suid 
libperl5.10 libperl-dev perl
Architecture: source all i386
Version: 5.10.1-17squeeze3
Distribution: stable
Urgency: low
Maintainer: Niko Tyni <[email protected]>
Changed-By: Dominic Hargreaves <[email protected]>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.10 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
 perl-suid  - runs setuid Perl scripts
Closes: 604902 637376 644108
Changes: 
 perl (5.10.1-17squeeze3) stable; urgency=low
 .
   * [SECURITY] CVE-2011-2939: Fix decode_xs n-byte heap-overflow security
     bug in Unicode.xs (Closes: #637376)
   * [SECURITY] CVE-2011-3597: Fix unsafe use of eval in Digest->new();
     thanks to Ansgar Burchardt for the notification (Closes: #644108)
   * Unregister signal handler before destroying my_perl; fixes segfault
     (Closes: #604902)
Checksums-Sha1: 
 8843091f6e603972d5b4d4a11089dba53824b0de 1422 perl_5.10.1-17squeeze3.dsc
 bb8db3889b23751f00683d8e5b11773a4b6c4c45 118221 
perl_5.10.1-17squeeze3.debian.tar.gz
 0cefaca80ba0a7d0c9e4f0462c07031e862aad30 52942 
libcgi-fast-perl_5.10.1-17squeeze3_all.deb
 b116d4697abb77b6e297dde3ed3b256c7ffbb82a 7188506 
perl-doc_5.10.1-17squeeze3_all.deb
 19b3dcfa05823ade81293ebe225a84731185f1c0 3490542 
perl-modules_5.10.1-17squeeze3_all.deb
 45fc31cb973d06659d35e8dcd2fd65da8bfb3826 980444 
perl-base_5.10.1-17squeeze3_i386.deb
 60459dec649a72fbe2a183d2aa9198828534aa89 6631472 
perl-debug_5.10.1-17squeeze3_i386.deb
 6fb5ce9309fa5e4496770d09403166ba7996c335 33082 
perl-suid_5.10.1-17squeeze3_i386.deb
 1976197275655e04e32bc9ef562dfe16f6df1806 632980 
libperl5.10_5.10.1-17squeeze3_i386.deb
 9a90a138eedad64670f5ab8b427bed1d3931a248 2344660 
libperl-dev_5.10.1-17squeeze3_i386.deb
 8ec8f63de8cc549a5ce12d6e48a0863468fc50d3 3779972 
perl_5.10.1-17squeeze3_i386.deb
Checksums-Sha256: 
 7f65a968e8055330dd39ea8b338a9988a0d5efadc71d37bdd539176537fe1410 1422 
perl_5.10.1-17squeeze3.dsc
 7fe9f8d789020722fdc68bdee57943fd8cc934233887b40d4c540f764c17dc61 118221 
perl_5.10.1-17squeeze3.debian.tar.gz
 5e59422232d568b1bca7436f4058ecdc8fb3320b274a7af5c74f5189d54f982d 52942 
libcgi-fast-perl_5.10.1-17squeeze3_all.deb
 d60be500a411aa9aa47d2e956eaf733d98658141d9e8883d3000da47704a322a 7188506 
perl-doc_5.10.1-17squeeze3_all.deb
 87d0138eff66a0f0e7f585dae5e2b512703ebf49ec6547d79662b859ed18bf8f 3490542 
perl-modules_5.10.1-17squeeze3_all.deb
 80a91d13da776b2a0a1fbce39aaae8d2927de90994cdc64c7bafce5eefaaa447 980444 
perl-base_5.10.1-17squeeze3_i386.deb
 16cb303beb593fe49b5fc7a16e2bd31c73c35466f3d24527c91f77a660c5cde5 6631472 
perl-debug_5.10.1-17squeeze3_i386.deb
 d8ba102fb43869cd9b0e12cc3bac4d5960f534a222eb5d0ea0e0bc0faf20ee77 33082 
perl-suid_5.10.1-17squeeze3_i386.deb
 3021f5a310aa0c6ab902edaa96a141ab7350df6e71ef7a5356bf67baf28caca9 632980 
libperl5.10_5.10.1-17squeeze3_i386.deb
 b172480c65818cbd5a9dc20abc7b145e77e57c27149c65ae2b3b55870e8fa1b0 2344660 
libperl-dev_5.10.1-17squeeze3_i386.deb
 43d3094c4be1da418e5c99e7b495f86ab0b7a88b3e1bb9a919b5e43c723bf48f 3779972 
perl_5.10.1-17squeeze3_i386.deb
Files: 
 d9eab87849364e3327920e382f3a5887 1422 perl standard perl_5.10.1-17squeeze3.dsc
 e1efd83cf80e965a40d8aa4fd745f0f0 118221 perl standard 
perl_5.10.1-17squeeze3.debian.tar.gz
 40633b98fae67084c284494c961f4f75 52942 perl optional 
libcgi-fast-perl_5.10.1-17squeeze3_all.deb
 3932fb00d1af19a23af4f55902323cc6 7188506 doc optional 
perl-doc_5.10.1-17squeeze3_all.deb
 bf3aed2150a5e97f90e9fc136a197a9e 3490542 perl standard 
perl-modules_5.10.1-17squeeze3_all.deb
 20ced901f6f8c21fb31c546a7177c4ed 980444 perl required 
perl-base_5.10.1-17squeeze3_i386.deb
 24a219d7133aeb15cf7f08524eb1399f 6631472 debug extra 
perl-debug_5.10.1-17squeeze3_i386.deb
 e6543333ebbc2da71eede37bec255267 33082 perl optional 
perl-suid_5.10.1-17squeeze3_i386.deb
 a2ee1211165807ea8766247e5e4cce57 632980 libs optional 
libperl5.10_5.10.1-17squeeze3_i386.deb
 8de6fcb74ba725c85a2bc23b495645aa 2344660 libdevel optional 
libperl-dev_5.10.1-17squeeze3_i386.deb
 452c1287272b46e62a2ffdf45b200104 3779972 perl standard 
perl_5.10.1-17squeeze3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFO8PpwYzuFKFF44qURAngvAKCbHo99M3keZB76Xq40Vk99ZzQzwgCeICdt
fnvwvuEAY+K9zsBNIHdkezE=
=OItN
-----END PGP SIGNATURE-----

--- End Message ---

Bug#644108: marked as done (unsafe use of eval in Digest->new())

Reply via email to