Bug 1209911 (CVE-2015-3406) - CVE-2015-3406 perl-Module-Signature: unsigned files interpreted as signed in some circumstances
Summary: CVE-2015-3406 perl-Module-Signature: unsigned files interpreted as signed in ...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2015-3406
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1209920 1209922
Blocks: 1209919
TreeView+ depends on / blocked
 
Reported: 2015-04-08 12:47 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:31 UTC (History)
6 users (show)

Fixed In Version: perl-Module-Signature 0.75
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-18 10:00:57 UTC
Embargoed:


Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-04-08 12:47:11 UTC
Module::Signature before version 0.75 could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries.

Upstream fix: https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f
CVE request: http://seclists.org/oss-sec/2015/q2/59

Comment 1 Vasyl Kaigorodov 2015-04-08 12:54:53 UTC
Created perl-Module-Signature tracking bugs for this issue:

Affects: fedora-all [bug 1209920]
Affects: epel-all [bug 1209922]

Comment 2 Fedora Update System 2015-04-18 09:34:20 UTC
perl-Module-Signature-0.78-1.fc21, perl-Test-Signature-1.11-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 3 Fedora Update System 2015-04-18 09:49:39 UTC
perl-Test-Signature-1.11-1.fc20, perl-Module-Signature-0.78-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2015-04-21 18:46:52 UTC
perl-Module-Signature-0.78-1.fc22, perl-Test-Signature-1.11-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2015-04-25 23:50:05 UTC
perl-Test-Signature-1.11-1.el6, perl-Module-Signature-0.78-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2015-04-25 23:50:47 UTC
perl-Test-Signature-1.11-1.el5, perl-Module-Signature-0.78-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Paul Howarth 2015-04-26 09:00:24 UTC
Fixed in all current Fedora and EPEL releases.

Still to be fixed in RHEL-7.


Note You need to log in before you can comment on or make changes to this bug.