1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
Description: Fix serious documentation bug aboute statement of execution of unsafe code
Addresses CVE-2013-1437 as (serious) documentation bug:
Module::Metadata executes code when gathering metadata about a module
by design. In versions previous to (upstream) 1.000015 the
documentation stated, however, that Module::Metadata provides a
standard way to gather metadata about a .pm file without executing
unsafe code.
Origin: upstream, http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=p5sagit/Module-Metadata.git;a=commitdiff;h=c0278e58ecbced5d852526c1c5d088c8df6ba618
Forwarded: not-needed
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2013-09-03
Applied-Upstream: 1.000015
--- a/lib/Module/Metadata.pm
+++ b/lib/Module/Metadata.pm
@@ -719,8 +719,10 @@
=head1 DESCRIPTION
-This module provides a standard way to gather metadata about a .pm file
-without executing unsafe code.
+This module provides a standard way to gather metadata about a .pm file through
+(mostly) static analysis and (some) code execution. When determining the
+version of a module, the C<$VERSION> assignment is C<eval>ed, as is traditional
+in the CPAN toolchain.
=head1 USAGE
|
