Bug 1209917 (CVE-2015-3408)

Summary: CVE-2015-3408 perl-Module-Signature: arbitrary code execution when verifying module signatures
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, jrusnack, paul, perl-devel, perl-maint-list, pertusus
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: perl-Module-Signature 0.75 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-18 10:01:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1209920, 1209922    
Bug Blocks: 1209919    

Description Vasyl Kaigorodov 2015-04-08 12:51:02 UTC 
Module::Signature before version 0.75 used two argument open() calls to read the files when generating checksums from the signed manifest. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process.

Upstream fix: https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f
CVE request: http://seclists.org/oss-sec/2015/q2/59
Comment 1 Vasyl Kaigorodov 2015-04-08 12:55:41 UTC 
Created perl-Module-Signature tracking bugs for this issue:

Affects: fedora-all [bug 1209920]
Affects: epel-all [bug 1209922]
Comment 2 Fedora Update System 2015-04-18 09:34:24 UTC 
perl-Module-Signature-0.78-1.fc21, perl-Test-Signature-1.11-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2015-04-18 09:49:42 UTC 
perl-Test-Signature-1.11-1.fc20, perl-Module-Signature-0.78-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2015-04-21 18:46:55 UTC 
perl-Module-Signature-0.78-1.fc22, perl-Test-Signature-1.11-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2015-04-25 23:50:08 UTC 
perl-Test-Signature-1.11-1.el6, perl-Module-Signature-0.78-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2015-04-25 23:50:51 UTC 
perl-Test-Signature-1.11-1.el5, perl-Module-Signature-0.78-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Paul Howarth 2015-04-26 09:01:55 UTC 
Fixed in all current Fedora and EPEL releases.

Still to be fixed in RHEL-7.