1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
Description: Fix CVE-2015-3409
CVE-2015-3409: Module::Signature incorrectly handles module loading
allowing to load modules from relative paths in @INC. A remote attacker
providing a malicious module could use this issue to execute arbitrary
code during signature verification.
Closes: #783451
Origin: upstream, https://github.com/audreyt/module-signature/commit/c41e8885b862b9fce2719449bc9336f0bea658ef
Bug-Debian: https://bugs.debian.org/783451
Forwarded: not-needed
Author: Audrey Tang <audreyt@audreyt.org>
Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2015-05-12
Applied-Upstream: 0.75
--- a/lib/Module/Signature.pm
+++ b/lib/Module/Signature.pm
@@ -118,6 +118,8 @@ sub _verify {
my $sigtext = shift || '';
my $plaintext = shift || '';
+ # Avoid loading modules from relative paths in @INC.
+ local @INC = grep { File::Spec->file_name_is_absolute($_) } @INC;
local $SIGNATURE = $signature if $signature ne $SIGNATURE;
if ($AutoKeyRetrieve and !$CanKeyRetrieve) {
|
