https://bugzilla.redhat.com/show_bug.cgi?id=1209911
Bug ID: 1209911 Summary: perl-Module-Signature: unsigned files interpreted as signed in some circumstances Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: vkaigoro@redhat.com CC: paul@city-fan.org, perl-devel@lists.fedoraproject.org, perl-maint-list@redhat.com, pertusus@free.fr
Module::Signature before version 0.75 could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries.
Upstream fix: https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa... CVE request: http://seclists.org/oss-sec/2015/q2/59
https://bugzilla.redhat.com/show_bug.cgi?id=1209911
Vasyl Kaigorodov vkaigoro@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1209919
https://bugzilla.redhat.com/show_bug.cgi?id=1209911
Vasyl Kaigorodov vkaigoro@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1209920 Depends On| |1209922
--- Comment #1 from Vasyl Kaigorodov vkaigoro@redhat.com ---
Created perl-Module-Signature tracking bugs for this issue:
Affects: fedora-all [bug 1209920] Affects: epel-all [bug 1209922]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1209920 [Bug 1209920] perl-Module-Signature: unsigned files interpreted as signed in some circumstances [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1209922 [Bug 1209922] perl-Module-Signature: unsigned files interpreted as signed in some circumstances [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1209911
--- Comment #2 from Fedora Update System updates@fedoraproject.org --- perl-Module-Signature-0.78-1.fc21, perl-Test-Signature-1.11-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1209911
--- Comment #3 from Fedora Update System updates@fedoraproject.org --- perl-Test-Signature-1.11-1.fc20, perl-Module-Signature-0.78-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1209911
--- Comment #4 from Fedora Update System updates@fedoraproject.org --- perl-Module-Signature-0.78-1.fc22, perl-Test-Signature-1.11-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1209911 Bug 1209911 depends on bug 1209920, which changed state.
Bug 1209920 Summary: perl-Module-Signature: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1209920
What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1209911
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Alias| |CVE-2015-3406
https://bugzilla.redhat.com/show_bug.cgi?id=1209911
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|perl-Module-Signature: |CVE-2015-3406 |unsigned files interpreted |perl-Module-Signature: |as signed in some |unsigned files interpreted |circumstances |as signed in some | |circumstances
https://bugzilla.redhat.com/show_bug.cgi?id=1209911
--- Comment #5 from Fedora Update System updates@fedoraproject.org --- perl-Test-Signature-1.11-1.el6, perl-Module-Signature-0.78-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1209911
--- Comment #6 from Fedora Update System updates@fedoraproject.org --- perl-Test-Signature-1.11-1.el5, perl-Module-Signature-0.78-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1209911 Bug 1209911 depends on bug 1209922, which changed state.
Bug 1209922 Summary: perl-Module-Signature: various flaws [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1209922
What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1209911
Paul Howarth paul@city-fan.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |MODIFIED
--- Comment #7 from Paul Howarth paul@city-fan.org --- Fixed in all current Fedora and EPEL releases.
Still to be fixed in RHEL-7.
https://bugzilla.redhat.com/show_bug.cgi?id=1209911
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |NEW Fixed In Version|Module::Signature 0.75 |perl-Module-Signature 0.75
https://bugzilla.redhat.com/show_bug.cgi?id=1209911
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2015 |impact=moderate,public=2015 |0405,reported=20150408,sour |0405,reported=20150408,sour |ce=oss-security,cvss2=5.1/A |ce=oss-security,cvss2=5.1/A |V:N/AC:H/Au:N/C:P/I:P/A:P,f |V:N/AC:H/Au:N/C:P/I:P/A:P,f |edora-all/perl-Module-Signa |edora-all/perl-Module-Signa |ture=affected,epel-all/perl |ture=affected,epel-all/perl |-Module-Signature=affected, |-Module-Signature=affected, |rhel-7/perl-Module-Signatur |rhel-7/perl-Module-Signatur |e=affected |e=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1209911
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX Last Closed| |2015-08-18 06:00:57
https://bugzilla.redhat.com/show_bug.cgi?id=1209911
Ján Rusnačko jrusnack@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jrusnack@redhat.com Whiteboard|impact=moderate,public=2015 |impact=moderate,public=2015 |0405,reported=20150408,sour |0405,reported=20150408,sour |ce=oss-security,cvss2=5.1/A |ce=oss-security,cvss2=5.1/A |V:N/AC:H/Au:N/C:P/I:P/A:P,f |V:N/AC:H/Au:N/C:P/I:P/A:P,f |edora-all/perl-Module-Signa |edora-all/perl-Module-Signa |ture=affected,epel-all/perl |ture=affected,epel-all/perl |-Module-Signature=affected, |-Module-Signature=affected, |rhel-7/perl-Module-Signatur |rhel-7/perl-Module-Signatur |e=wontfix |e=wontfix,cwe=CWE-347
perl-devel@lists.fedoraproject.org