Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
the last upstream release of libdigest-perl (1.17) contains a fix for an
unsafe use of eval[1]: the argument to Digest->new($algo) was not
checked properly allowing code injection (in case the value can be
changed by the attacker). Versions in both lenny and squeeze are
affected.
The security team does not plan to release a DSA, the issue should be
fixed via proposed-updates instead.
I prepared updates for both lenny and squeeze (attached).
Regards,
Ansgar
[1]
<https://github.com/gisle/digest/commit/33800e83550bcad19c4fc593874ec3497841fa1e>
diff -u libdigest-perl-1.15/debian/changelog libdigest-perl-1.15/debian/changelog
--- libdigest-perl-1.15/debian/changelog
+++ libdigest-perl-1.15/debian/changelog
@@ -1,3 +1,9 @@
+libdigest-perl (1.15-2+lenny1) UNRELEASED; urgency=low
+
+ * Fix unsafe use of eval in Digest->new().
+
+ -- Ansgar Burchardt <ans...@debian.org> Sun, 02 Oct 2011 23:35:15 +0200
+
libdigest-perl (1.15-2) unstable; urgency=low
* Fixed debian/watch, as it was too ambitious
only in patch2:
unchanged:
--- libdigest-perl-1.15.orig/Digest.pm
+++ libdigest-perl-1.15/Digest.pm
@@ -23,7 +23,7 @@
shift; # class ignored
my $algorithm = shift;
my $impl = $MMAP{$algorithm} || do {
- $algorithm =~ s/\W+//;
+ $algorithm =~ s/\W+//g;
"Digest::$algorithm";
};
$impl = [$impl] unless ref($impl);
@@ -34,7 +34,9 @@
($class, @args) = @$class if ref($class);
no strict 'refs';
unless (exists ${"$class\::"}{"VERSION"}) {
- eval "require $class";
+ my $pm_file = $class . ".pm";
+ $pm_file =~ s{::}{/}g;
+ eval { require $pm_file };
if ($@) {
$err ||= $@;
next;
only in patch2:
unchanged:
--- libdigest-perl-1.15.orig/t/security.t
+++ libdigest-perl-1.15/t/security.t
@@ -0,0 +1,14 @@
+#!/usr/bin/env perl
+
+# Digest->new() had an exploitable eval
+
+use strict;
+use warnings;
+
+use Test::More tests => 1;
+
+use Digest;
+
+$LOL::PWNED = 0;
+eval { Digest->new(q[MD;5;$LOL::PWNED = 42]) };
+is $LOL::PWNED, 0;
diff -u libdigest-perl-1.16/debian/changelog libdigest-perl-1.16/debian/changelog
--- libdigest-perl-1.16/debian/changelog
+++ libdigest-perl-1.16/debian/changelog
@@ -1,3 +1,9 @@
+libdigest-perl (1.16-1+squeeze1) UNRELEASED; urgency=low
+
+ * Fix unsafe use of eval in Digest->new().
+
+ -- Ansgar Burchardt <ans...@debian.org> Sun, 02 Oct 2011 23:20:11 +0200
+
libdigest-perl (1.16-1) unstable; urgency=low
[ gregor herrmann ]
only in patch2:
unchanged:
--- libdigest-perl-1.16.orig/Digest.pm
+++ libdigest-perl-1.16/Digest.pm
@@ -24,7 +24,7 @@
shift; # class ignored
my $algorithm = shift;
my $impl = $MMAP{$algorithm} || do {
- $algorithm =~ s/\W+//;
+ $algorithm =~ s/\W+//g;
"Digest::$algorithm";
};
$impl = [$impl] unless ref($impl);
@@ -35,7 +35,9 @@
($class, @args) = @$class if ref($class);
no strict 'refs';
unless (exists ${"$class\::"}{"VERSION"}) {
- eval "require $class";
+ my $pm_file = $class . ".pm";
+ $pm_file =~ s{::}{/}g;
+ eval { require $pm_file };
if ($@) {
$err ||= $@;
next;
only in patch2:
unchanged:
--- libdigest-perl-1.16.orig/t/security.t
+++ libdigest-perl-1.16/t/security.t
@@ -0,0 +1,14 @@
+#!/usr/bin/env perl
+
+# Digest->new() had an exploitable eval
+
+use strict;
+use warnings;
+
+use Test::More tests => 1;
+
+use Digest;
+
+$LOL::PWNED = 0;
+eval { Digest->new(q[MD;5;$LOL::PWNED = 42]) };
+is $LOL::PWNED, 0;
