[Bug 1209917] New: perl-Module-Signature: arbitrary code execution when verifying module signatures

bugzilla Wed, 08 Apr 2015 05:52:03 -0700

https://bugzilla.redhat.com/show_bug.cgi?id=1209917


            Bug ID: 1209917
           Summary: perl-Module-Signature: arbitrary code execution when
                    verifying module signatures
           Product: Security Response
         Component: vulnerability
          Keywords: Security
          Severity: medium
          Priority: medium
          Assignee: security-response-t...@redhat.com
          Reporter: vkaig...@redhat.com
                CC: p...@city-fan.org, perl-devel@lists.fedoraproject.org,
                    perl-maint-l...@redhat.com, pertu...@free.fr



Module::Signature before version 0.75 used two argument open() calls to read
the files when generating checksums from the signed manifest. This allowed
embedding arbitrary shell commands into the SIGNATURE file that would execute
during the signature verification process.

Upstream fix:
https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f
CVE request: http://seclists.org/oss-sec/2015/q2/59

-- 
You are receiving this mail because:
You are on the CC list for the bug.
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/perl-devel

[Bug 1209917] New: perl-Module-Signature: arbitrary code execution when verifying module signatures

Reply via email to