GLSA-201310-01 : Perl Module-Signature module: Arbitrary code execution

Medium Nessus Plugin ID 70307


The remote Gentoo host is missing one or more security-related patches.


The remote host is affected by the vulnerability described in GLSA-201310-01 (Perl Module-Signature module: Arbitrary code execution)

The ‘cpansign verify’ command will automatically download keys and use them to check the signature of CPAN packages via the SIGNATURE file.
If an attacker were to replace this (SHA1) with a special unknown cipher (e.g. ‘Special’) and were to include in the distribution a ‘Digest/’, the code in this Perl module would be executed when ‘cpansign -verify’ is run.
Impact :

A remote attacker could possibly execute arbitrary code with the privileges of the process.
Workaround :

There is no known workaround at this time.


All users of the Module-Signature Perl module should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=dev-perl/Module-Signature-0.720.0'

See Also

Plugin Details

Severity: Medium

ID: 70307

File Name: gentoo_GLSA-201310-01.nasl

Version: $Revision: 1.4 $

Type: local

Published: 2013/10/06

Modified: 2015/04/13

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 4.4

Temporal Score: 3.8

Vector: CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:Module-Signature, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2013/10/04

Reference Information

CVE: CVE-2013-2145

BID: 60352

OSVDB: 94060

GLSA: 201310-01