1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
Description: Fix CVE-2013-2145
Fix arbitrary code execution when verifying SIGNATURE
Origin: backport, commit:575f7bd6ba4cc7c92f841e8758f88a131674ebf2, commit:cbd06b392a73c63159dc5c20ff5b3c8fc88c4896, commit:8ff56de7668ff60fbc1afe5b965a3c865662dd24
Bug-Debian: http://bugs.debian.org/711239
Forwarded: not-needed
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2013-06-18
Applied-Upstream: 0.73
--- a/lib/Module/Signature.pm
+++ b/lib/Module/Signature.pm
@@ -18,6 +18,7 @@
use ExtUtils::Manifest ();
use Exporter;
+use File::Spec;
@EXPORT_OK = (
qw(sign verify),
@@ -496,18 +497,23 @@
my $read = ExtUtils::Manifest::maniread() || {};
my $found = ExtUtils::Manifest::manifind($p);
my(%digest) = ();
+
+ # Avoid loading Digest::* from relative paths in @INC.
+ local @INC = grep { File::Spec->file_name_is_absolute($_) } @INC;
+
+ # Constrain algorithm name to be of form ABC123.
+ my ($base, $variant) = ($algorithm =~ /^([_a-zA-Z]+)([0-9]+)$/g)
+ or die "Malformed algorithm name: $algorithm (should match /\\w+\\d+/)";
+
my $obj = eval { Digest->new($algorithm) } || eval {
- my ($base, $variant) = ($algorithm =~ /^(\w+?)(\d+)$/g) or die;
require "Digest/$base.pm"; "Digest::$base"->new($variant)
} || eval {
require "Digest/$algorithm.pm"; "Digest::$algorithm"->new
} || eval {
- my ($base, $variant) = ($algorithm =~ /^(\w+?)(\d+)$/g) or die;
require "Digest/$base/PurePerl.pm"; "Digest::$base\::PurePerl"->new($variant)
} || eval {
require "Digest/$algorithm/PurePerl.pm"; "Digest::$algorithm\::PurePerl"->new
} or do { eval {
- my ($base, $variant) = ($algorithm =~ /^(\w+?)(\d+)$/g) or die;
warn "Unknown cipher: $algorithm, please install Digest::$base, Digest::$base$variant, or Digest::$base\::PurePerl\n";
} and return } or do {
warn "Unknown cipher: $algorithm, please install Digest::$algorithm\n"; return;
|
