Wednesday, July 3, 2013

[USN-1896-1] Module::Signature perl module vulnerability

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJR1CGNAAoJEGVp2FWnRL6TatgP/ihdpiuEJxUrdkWPS0WsmBMA
cPLceXgmNcZJXZMlMgNEixmF0LRW7al5F55WQiq5aeH32S3dN5n0+lDNNmS+ZwS+
jajKA5Z55VsvG7+IMhOs3kElv+cYXEt6X7GN5piMtO6Q5ni3FZ5RdzNAMR6NUZPz
/qkoeQF/EZJtbgB5M99nUTA3OOXZf87yzzZxLfMdFJxvRu9XscN98CkzjbNyu/zf
4trve85kqbd7R3s6FWI4yWm8tpW8q47PAPeq/3X4XxzbC7RkQN99NymCJd1GgXM4
kegr95Bfr+tl7wdD2HpYdtvPgJ4d58AsChbSz6Z2wxHI7jrgYpl03VVrI+HSc6X8
HlZaKJ6O8cYraKwVyaxkVrv/glESuBueXfLkwurXojyaZEokkWMy0ktay1PuMRwo
jg4wciohN9S+VWgMiDOvN/nYCXkibHeoc+cHx1ZnBQ+DpN2Op+Ek6ifNmDEs22Ja
Bn1EvPU3N1KMtW+03jLW1s2NN41j4CXAuyuZW2+uxLpjaM0TiryfXMkXD0vbpj/M
aFBnmswyi2s+A5VRCdQ1kL3d2x5bqkySO8mKC7J7lI2PlpRa7vEpfoee/JxWRHQI
QEyVgMQhiRi+2X3typBDlZ/sTdXW500wyg2dq0IcqbW8jfXQvXJW1qaMFJ8F2EqZ
W7MVtXQpqh9CkQ7uxkv0
=h5It
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1896-1
July 03, 2013

libmodule-signature-perl vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

Module::Signature could be made to run programs if it verified a signature.

Software Description:
- libmodule-signature-perl: module to manipulate CPAN SIGNATURE files

Details:

Florian Weimer discovered that the Module::Signature perl module
incorrectly loaded unknown ciphers from relative directories. An attacker
could possibly use this flaw to execute arbitrary code when a signature is
verified.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
libmodule-signature-perl 0.68-1ubuntu0.13.04.1

Ubuntu 12.10:
libmodule-signature-perl 0.68-1ubuntu0.12.10.1

Ubuntu 12.04 LTS:
libmodule-signature-perl 0.68-1ubuntu0.12.04.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1896-1
CVE-2013-2145

Package Information:

https://launchpad.net/ubuntu/+source/libmodule-signature-perl/0.68-1ubuntu0.13.04.1

https://launchpad.net/ubuntu/+source/libmodule-signature-perl/0.68-1ubuntu0.12.10.1

https://launchpad.net/ubuntu/+source/libmodule-signature-perl/0.68-1ubuntu0.12.04.1

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)