Detections
Analytics

Debian DSA-3261-1 : libmodule-signature-perl - security update

high Nessus Plugin ID 83501

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

Multiple vulnerabilities were discovered in libmodule-signature-perl, a Perl module to manipulate CPAN SIGNATURE files. The Common Vulnerabilities and Exposures project identifies the following problems :

 - CVE-2015-3406 John Lightsey discovered that Module::Signature could parse the unsigned portion of the SIGNATURE file as the signed portion due to incorrect handling of PGP signature boundaries.

 - CVE-2015-3407 John Lightsey discovered that Module::Signature incorrectly handles files that are not listed in the SIGNATURE file. This includes some files in the t/ directory that would execute when tests are run.

 - CVE-2015-3408 John Lightsey discovered that Module::Signature uses two argument open() calls to read the files when generating checksums from the signed manifest. This allows to embed arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process.

 - CVE-2015-3409 John Lightsey discovered that Module::Signature incorrectly handles module loading, allowing to load modules from relative paths in @INC. A remote attacker providing a malicious module could use this issue to execute arbitrary code during signature verification.

Note that libtest-signature-perl received an update for compatibility with the fix for CVE-2015-3407 in libmodule-signature-perl.

Solution

Upgrade the libmodule-signature-perl packages.

For the oldstable distribution (wheezy), these problems have been fixed in version 0.68-1+deb7u2.

For the stable distribution (jessie), these problems have been fixed in version 0.73-1+deb8u1.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783451

https://security-tracker.debian.org/tracker/CVE-2015-3406

https://security-tracker.debian.org/tracker/CVE-2015-3407

https://security-tracker.debian.org/tracker/CVE-2015-3408

https://security-tracker.debian.org/tracker/CVE-2015-3409

https://packages.debian.org/source/wheezy/libmodule-signature-perl

https://packages.debian.org/source/jessie/libmodule-signature-perl

https://www.debian.org/security/2015/dsa-3261

Plugin Details

Severity: High

ID: 83501

File Name: debian_DSA-3261.nasl

Version: 2.7

Type: local

Agent: unix

Published: 5/18/2015

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:libmodule-signature-perl, cpe:/o:debian:debian_linux:7.0, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 5/15/2015

Vulnerability Publication Date: 5/19/2015

Reference Information

CVE: CVE-2015-3406, CVE-2015-3407, CVE-2015-3408, CVE-2015-3409

BID: 73935, 73937

DSA: 3261