Bug 996281 - (CVE-2013-1437) CVE-2013-1437 perl-Module-Metadata: incorrectly documents that it does not execute unsafe code
CVE-2013-1437 perl-Module-Metadata: incorrectly documents that it does not ex...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20130821,reported=2...
: Security
Depends On: 996285 996286 999631 999632
Blocks: 996283
  Show dependency treegraph
 
Reported: 2013-08-12 16:27 EDT by Vincent Danen
Modified: 2015-10-15 13:56 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-22 12:14:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-08-12 16:27:37 EDT
It was reported that the perl Module::Metadata module incorrectly claimed that it would gather metadata about a .pm file without executing unsafe code.  However, when Module::Metadata determines the version of a module, it can extract a small amount of code (if present in the $Version variable assignment) and evaluates it, which can lead to the execution of arbitrary code (the same code that module would execute to obtain the value of $Version).

This behaviour is intended and known by the authors of the module, the only issue here is with the claim of "without executing unsafe code" and with not making this behaviour clearer in the documentation.  The authors intend to remove this mis-statement and properly document this intended behaviour.


Acknowledgements:

Red Hat would like to thank the Perl 5 Security Team for reporting this issue.
Comment 2 Vincent Danen 2013-08-21 14:09:58 EDT
This is now public:

https://metacpan.org/changes/distribution/Module-Metadata
Comment 4 Vincent Danen 2013-08-21 14:14:44 EDT
Created perl-Module-Metadata tracking bugs for this issue:

Affects: fedora-all [bug 999631]
Comment 5 Fedora Update System 2013-08-30 18:57:43 EDT
perl-Module-Metadata-1.000015-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-08-30 19:00:03 EDT
perl-Module-Metadata-1.000015-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.