debian/0000775000000000000000000000000012516464070007175 5ustar debian/control0000664000000000000000000000222212516464103010573 0ustar Source: libmodule-signature-perl Section: perl Priority: optional Build-Depends: debhelper (>= 8) Build-Depends-Indep: perl Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Debian Perl Group Uploaders: Krzysztof Krzyżaniak (eloy) , gregor herrmann , Jonathan Yu , Jotam Jr. Trejo Standards-Version: 3.9.4 Homepage: https://metacpan.org/release/Module-Signature/ Vcs-Git: git://anonscm.debian.org/pkg-perl/packages/libmodule-signature-perl.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libmodule-signature-perl.git Package: libmodule-signature-perl Architecture: all Depends: ${misc:Depends}, ${perl:Depends} Recommends: gnupg | gnupg2 Description: module to manipulate CPAN SIGNATURE files Module::Signature is a Perl module that adds cryptographic authentications to CPAN distributions, via the special SIGNATURE file. It also includes various tools to sign distributions and to verify signatures and supports using many different cryptographic hashing algorithms. debian/changelog0000664000000000000000000002023312516464070011047 0ustar libmodule-signature-perl (0.73-1ubuntu0.14.04.1) trusty-security; urgency=medium * SECURITY UPDATE: arbitrary code execution and incorrect signature verification - debian/patches/CVE-2015-340x.patch: properly handle temp files and headers in lib/Module/Signature.pm, Makefile.PL. - debian/patches/CVE-2015-3409.patch: don't load modules from relative paths in lib/Module/Signature.pm. - CVE-2015-3406 - CVE-2015-3407 - CVE-2015-3408 - CVE-2015-3409 -- Marc Deslauriers Fri, 24 Apr 2015 11:58:37 -0400 libmodule-signature-perl (0.73-1) unstable; urgency=low * Team upload. [ Ansgar Burchardt ] * debian/control: Convert Vcs-* fields to Git. [ Salvatore Bonaccorso ] * Imported Upstream version 0.73 - Fixes CVE-2013-2145: arbitrary code execution when verifying SIGNATURE (Closes: #711239). * Change Vcs-Git to canonical URI (git://anonscm.debian.org) * Change search.cpan.org based URIs to metacpan.org based URIs * Update debian/copyright file information. Update format to copyright-format 1.0 as released together with Debian policy 3.9.3. Update copyright years for included copy of Module::Install. Add missing stanza for ReadmeFromPod.pm (from Module::Install::ReadmeFromPod). * Bump Standards-Version to 3.9.4 * Add an alternative Recommends on gnupg2 -- Salvatore Bonaccorso Fri, 07 Jun 2013 23:16:42 +0200 libmodule-signature-perl (0.68-1) unstable; urgency=low [ Jotam Jr. Trejo ] * New upstream release * Bump DH compat level to 8 [ gregor herrmann ] * Don't run test that needs network access. * Clean up (build) dependencies. -- Jotam Jr. Trejo Fri, 13 May 2011 21:19:36 -0600 libmodule-signature-perl (0.67-1) unstable; urgency=low [ Jotam Jr. Trejo ] * New upstream release * debian/control: add libipc-run-perl to B-D-I, needed for some tests * debian/copyright: refresh according to DEP 5 revision 135 * debian/control: bump Standards Version to 3.9.2 (no changes) * Add myself to Uploaders and Copyright [ Ansgar Burchardt ] * debian/copyright: Update gregor herrmann's email address. -- Jotam Jr. Trejo Sat, 23 Apr 2011 17:50:09 -0600 libmodule-signature-perl (0.66-2) unstable; urgency=low [ Peter Pentchev ] * Team upload. * Install the t/0-signature.t file as an example. Closes: #606974 [ gregor herrmann ] * debian/copyright: update license stanzas. * debian/control: remove "perl (>= 5.10) | libdigest-sha-perl" from (Build-)Depends(-Indep), lenny has already perl 5.10. -- Peter Pentchev Mon, 13 Dec 2010 18:00:25 +0200 libmodule-signature-perl (0.66-1) unstable; urgency=low * New upstream release * debian/control: update Standards-Version to 3.9.1 without any changes -- Krzysztof Krzyżaniak (eloy) Mon, 27 Sep 2010 17:55:15 +0200 libmodule-signature-perl (0.64-1) UNRELEASED; urgency=low Changes to source package only; no longer creates GnuPG configuration files when 'Makefile.PL' is invoked. No urgent need for upload, binaries wouldn't differ. IGNORE-VERSION: 0.64-1 * New upstream release -- Jonathan Yu Sun, 09 May 2010 08:10:03 -0400 libmodule-signature-perl (0.63-1) unstable; urgency=low [ Jonathan Yu ] * New upstream release * No longer needs --with quilt * Update copyright information [ Krzysztof Krzyżaniak (eloy) ] * New upstream release * debian/control: update Standards-Version to 3.8.4 without any changes * debian/copyright: update dates * debian/source/format: created with value "3.0 (quilt)" * debian/README.source removed since new package type * debian/patches: removed, fixed upstream -- Jonathan Yu Wed, 07 Apr 2010 12:14:53 -0400 libmodule-signature-perl (0.61-1) unstable; urgency=low [ Jonathan Yu ] * New upstream release * Use new short debhelper rules format * Add myself to Uploaders and Copyright * Rewrite control description * Update copyright information (we're now using CC0) * Upgrade to debhelper 7.2.13 (for Module::AutoInstall) * Refresh keyserver.patch; add header * Remove unnecessary build dependencies [ gregor herrmann ] * Add debian/README.source to document quilt usage, as required by Debian Policy since 3.8.0. * debian/control: Changed: Switched Vcs-Browser field to ViewSVN (source stanza). * debian/control: Added: ${misc:Depends} to Depends: field. * Change my email address. [ Nathan Handler ] * debian/watch: Update to ignore development releases. -- Jonathan Yu Mon, 30 Nov 2009 15:57:30 -0500 libmodule-signature-perl (0.55-2) unstable; urgency=low * debian/control: Added: Vcs-Svn field (source stanza); Vcs-Browser field (source stanza); Homepage field (source stanza). Removed: XS- Vcs-Svn fields. * debian/rules: - delete /usr/lib/perl5 only if it exists (closes: #467870) - update based on dh-make-perl's templates - don't install README any more (no additional information) * debian/watch: use dist-based URL. * Set Standards-Version to 3.7.3 (no changes). * Add debian/compat instead of setting DH_COMPAT in debian/rules. * debian/copyright: add download URL and copy copyright/license terms verbatim from README to match reality. * Split the changes regarding the default keyserver (cf. #293080) out to keyserver.patch; and don't change the keyserver only in the test (which isn't actually run because it would fail due to the patch -- d'oh) but also in the module (and it's documentation) itself, which was the intention of the bug submitter ... Add quilt framework. -- gregor herrmann Sun, 09 Mar 2008 00:16:07 +0100 libmodule-signature-perl (0.55-1) unstable; urgency=low * New upstream release * debian/control: + Standards-Version: increased to 3.7.2.1 -- Krzysztof Krzyzaniak (eloy) Wed, 2 Aug 2006 16:13:43 +0200 libmodule-signature-perl (0.54-1) unstable; urgency=low * New upstream release. * Standard-Version upgraded to 3.7.2 (no changes needed). * Debhelper compatibility level upgraded to 5. * Move several dependencies to Build-Depends-Indep, as required by Policy. * Remove empty /usr/lib/perl5 directory from package. -- gregor herrmann Sun, 14 May 2006 01:45:03 +0200 libmodule-signature-perl (0.53-1) unstable; urgency=low * New upstream release, taking package for Perl Group (closes: #329595) (closes: #357075) * debian/watch - added * debian/control: - Standards-Version: upgraded to 3.6.2 - Uploaders: added me - Maintainer: set to Debian Perl Group - libdigest-sha-perl added to dependencies * debian/rules: - compat increased to 4 - added PERL_MM_USE_DEFAULT=1 -- Krzysztof Krzyzaniak (eloy) Wed, 15 Mar 2006 17:18:22 +0100 libmodule-signature-perl (0.44-3) unstable; urgency=low * Re-upload with full source, as the 0.44-1 upload was borked so the 0.44-2 upload was refused. -- Chip Salzenberg Fri, 8 Apr 2005 18:28:23 -0400 libmodule-signature-perl (0.44-2) unstable; urgency=low * Default to 'subkeys.pgp.net', not 'pgp.mit.edu'. (closes: #293080) * Clean up dependencies. -- Chip Salzenberg Fri, 8 Apr 2005 17:42:20 -0400 libmodule-signature-perl (0.44-1) unstable; urgency=medium * New upstream release. -- Chip Salzenberg Tue, 8 Mar 2005 12:43:12 -0500 libmodule-signature-perl (0.35-2) unstable; urgency=high * Fix Build-Depends by deleting my hacked dpkg-source. -- Chip Salzenberg Sun, 5 Oct 2003 21:45:16 -0400 libmodule-signature-perl (0.35-1) unstable; urgency=low * New upstream release. -- Chip Salzenberg Fri, 3 Oct 2003 19:30:47 -0400 libmodule-signature-perl (0.26-1) unstable; urgency=low * New upstream release. -- Chip Salzenberg Thu, 24 Jul 2003 18:12:17 -0400 libmodule-signature-perl (0.21-1) unstable; urgency=low * Initial Release. -- Chip Salzenberg Sat, 15 Feb 2003 15:18:20 -0500 debian/source/0000775000000000000000000000000012154450267010476 5ustar debian/source/format0000664000000000000000000000001412154450267011704 0ustar 3.0 (quilt) debian/compat0000664000000000000000000000000212154450267010374 0ustar 8 debian/patches/0000775000000000000000000000000012516464052010624 5ustar debian/patches/CVE-2015-340x.patch0000664000000000000000000001303312516464045013345 0ustar From 8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f Mon Sep 17 00:00:00 2001 From: Audrey Tang Date: Sun, 5 Apr 2015 16:05:20 +0800 Subject: [PATCH] * Fix issues reported by John Lightsey --- Makefile.PL | 1 + README | 2 +- lib/Module/Signature.pm | 48 ++++++++++++++++++++++++++++++++---------------- 3 files changed, 34 insertions(+), 17 deletions(-) Index: libmodule-signature-perl-0.73/Makefile.PL =================================================================== --- libmodule-signature-perl-0.73.orig/Makefile.PL 2015-04-24 11:45:43.826441951 -0400 +++ libmodule-signature-perl-0.73/Makefile.PL 2015-04-24 11:45:43.822441785 -0400 @@ -10,6 +10,7 @@ repository 'http://github.com/audreyt/module-signature'; install_script 'script/cpansign'; build_requires 'Test::More', 0, 'IPC::Run', 0; +requires 'File::Temp'; # On Win32 (excluding cygwin) we know that IO::Socket::INET, # which is needed for keyserver stuff, doesn't work. In fact Index: libmodule-signature-perl-0.73/lib/Module/Signature.pm =================================================================== --- libmodule-signature-perl-0.73.orig/lib/Module/Signature.pm 2015-04-24 11:45:43.826441951 -0400 +++ libmodule-signature-perl-0.73/lib/Module/Signature.pm 2015-04-24 11:45:43.822441785 -0400 @@ -57,6 +57,8 @@ my @lines = split /\015?\012/, $sigtext; my %map; for my $line (@lines) { + last if $line eq '-----BEGIN PGP SIGNATURE-----'; + next if $line =~ /^---/ .. $line eq ''; my($cipher,$digest,$file) = split " ", $line, 3; return unless defined $file; $map{$file} = [$cipher, $digest]; @@ -65,7 +67,7 @@ } sub verify { - my %args = ( skip => 1, @_ ); + my %args = ( @_ ); my $rv; (-r $SIGNATURE) or do { @@ -178,6 +180,11 @@ ($mani, $file) = ExtUtils::Manifest::fullcheck(); } else { + my $_maniskip = &ExtUtils::Manifest::maniskip; + local *ExtUtils::Manifest::maniskip = sub { sub { + return unless $skip; + return $_maniskip->(@_); + } }; ($mani, $file) = ExtUtils::Manifest::fullcheck(); } @@ -237,6 +244,11 @@ my $keyserver = _keyserver($version); + require File::Temp; + my $fh = File::Temp->new(); + print $fh $sigtext; + close $fh; + my $gpg = _which_gpg(); my @quiet = $Verbose ? () : qw(-q --logger-fd=1); my @cmd = ( @@ -245,7 +257,7 @@ ($AutoKeyRetrieve and $version ge '1.0.7') ? '--keyserver-options=auto-key-retrieve' : () - ) : ()), $SIGNATURE + ) : ()), $fh->filename ); my $output = ''; @@ -257,6 +269,7 @@ my $cmd = join ' ', @cmd; $output = `$cmd`; } + unlink $fh->filename; if( $? ) { print STDERR $output; @@ -285,7 +298,7 @@ my $pgp = Crypt::OpenPGP->new( ($KeyServer) ? ( KeyServer => $KeyServer, AutoKeyRetrieve => $AutoKeyRetrieve ) : (), ); - my $rv = $pgp->handle( Filename => $SIGNATURE ) + my $rv = $pgp->handle( Data => $sigtext ) or die $pgp->errstr; return SIGNATURE_BAD if (!$rv->{Validity} and $AutoKeyRetrieve); @@ -308,32 +321,35 @@ my $well_formed; local *D; - open D, $sigfile or die "Could not open $sigfile: $!"; + open D, "< $sigfile" or die "Could not open $sigfile: $!"; if ($] >= 5.006 and =~ /\r/) { close D; - open D, $sigfile or die "Could not open $sigfile: $!"; + open D, '<', $sigfile or die "Could not open $sigfile: $!"; binmode D, ':crlf'; } else { close D; - open D, $sigfile or die "Could not open $sigfile: $!"; + open D, "< $sigfile" or die "Could not open $sigfile: $!"; } + my $begin = "-----BEGIN PGP SIGNED MESSAGE-----\n"; + my $end = "-----END PGP SIGNATURE-----\n"; while () { - next if (1 .. /^-----BEGIN PGP SIGNED MESSAGE-----/); - last if /^-----BEGIN PGP SIGNATURE/; - + next if (1 .. ($_ eq $begin)); $signature .= $_; + return "$begin$signature" if $_ eq $end; } - return ((split(/\n+/, $signature, 2))[1]); + return; } sub _compare { my ($str1, $str2, $ok) = @_; # normalize all linebreaks + $str1 =~ s/^-----BEGIN PGP SIGNED MESSAGE-----\n(?:.+\n)*\n//; $str1 =~ s/[^\S ]+/\n/g; $str2 =~ s/[^\S ]+/\n/g; + $str1 =~ s/-----BEGIN PGP SIGNATURE-----\n(?:.+\n)*$//; return $ok if $str1 eq $str2; @@ -344,7 +360,7 @@ } else { local (*D, *S); - open S, $SIGNATURE or die "Could not open $SIGNATURE: $!"; + open S, "< $SIGNATURE" or die "Could not open $SIGNATURE: $!"; open D, "| diff -u $SIGNATURE -" or (warn "Could not call diff: $!", return SIGNATURE_MISMATCH); while () { print D $_ if (1 .. /^-----BEGIN PGP SIGNED MESSAGE-----/); @@ -409,9 +425,9 @@ die "Cannot find $sigfile.tmp, signing aborted.\n"; }; - open D, "$sigfile.tmp" or die "Cannot open $sigfile.tmp: $!"; + open D, "< $sigfile.tmp" or die "Cannot open $sigfile.tmp: $!"; - open S, ">$sigfile" or do { + open S, "> $sigfile" or do { unlink "$sigfile.tmp"; die "Could not write to $sigfile: $!"; }; @@ -594,7 +610,7 @@ } else { local *F; - open F, $file or die "Cannot open $file for reading: $!"; + open F, "< $file" or die "Cannot open $file for reading: $!"; if (-B $file) { binmode(F); $obj->addfile(*F); debian/patches/series0000664000000000000000000000005012516464052012034 0ustar CVE-2015-340x.patch CVE-2015-3409.patch debian/patches/CVE-2015-3409.patch0000664000000000000000000000175012516464052013247 0ustar From c41e8885b862b9fce2719449bc9336f0bea658ef Mon Sep 17 00:00:00 2001 From: Audrey Tang Date: Tue, 7 Apr 2015 02:37:28 +0800 Subject: [PATCH] * Avoid loading modules from relative paths in @INC for Text::Diff etc. Also reported by John Lightsey. --- lib/Module/Signature.pm | 2 ++ 1 file changed, 2 insertions(+) Index: libmodule-signature-perl-0.73/lib/Module/Signature.pm =================================================================== --- libmodule-signature-perl-0.73.orig/lib/Module/Signature.pm 2015-04-24 11:45:51.202745287 -0400 +++ libmodule-signature-perl-0.73/lib/Module/Signature.pm 2015-04-24 11:45:51.198745125 -0400 @@ -118,6 +118,8 @@ my $sigtext = shift || ''; my $plaintext = shift || ''; + # Avoid loading modules from relative paths in @INC. + local @INC = grep { File::Spec->file_name_is_absolute($_) } @INC; local $SIGNATURE = $signature if $signature ne $SIGNATURE; if ($AutoKeyRetrieve and !$CanKeyRetrieve) { debian/libmodule-signature-perl.examples0000664000000000000000000000002012154450267015641 0ustar t/0-signature.t debian/copyright0000664000000000000000000002111612154450267011132 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: Module-Signature Upstream-Contact: 唐鳳(Audrey Tang) Source: https://metacpan.org/release/Module-Signature/ Files: * Copyright: 2002-2006, Audrey Tang License: CC0 Comment: this was the copyright statement formerly used with this package; it has since been removed now that it is licensed as CC0 Files: inc/Module/* Copyright: 2008-2012, Adam Kennedy 2002-2012, Audrey Tang 2002-2012, Brian Ingerson License: Artistic or GPL-1+ Files: inc/Module/Install/ReadmeFromPod.pm Copyright: Chris Williams License: Artistic or GPL-1+ Files: debian/* Copyright: 2003-2005, Chip Salzenberg 2006-2008, gregor herrmann 2006,2010, Krzysztof Krzyżaniak (eloy) 2009-2010, Jonathan Yu 2010, Peter Pentchev 2011, Jotam Jr. Trejo License: Artistic or GPL-1+ License: Artistic This program is free software; you can redistribute it and/or modify it under the terms of the Artistic License, which comes with Perl. . On Debian systems, the complete text of the Artistic License can be found in `/usr/share/common-licenses/Artistic'. License: CC0 The laws of most jurisdictions throughout the world automatically confer exclusive Copyright and Related Rights (defined below) upon the creator and subsequent owner(s) (each and all, an "owner") of an original work of authorship and/or a database (each, a "Work") . Certain owners wish to permanently relinquish those rights to a Work for the purpose of contributing to a commons of creative, cultural and scientific works ("Commons") that the public can reliably and without fear of later claims of infringement build upon, modify, incorporate in other works, reuse and redistribute as freely as possible in any form whatsoever and for any purposes, including without limitation commercial purposes. These owners may contribute to the Commons to promote the ideal of a free culture and the further production of creative, cultural and scientific works, or to gain reputation or greater distribution for their Work in part through the use and efforts of others. . For these and/or other purposes and motivations, and without any expectation of additional consideration or compensation, the person associating CC0 with a Work (the "Affirmer"), to the extent that he or she is an owner of Copyright and Related Rights in the Work, voluntarily elects to apply CC0 to the Work and publicly distribute the Work under its terms, with knowledge of his or her Copyright and Related Rights in the Work and the meaning and intended legal effect of CC0 on those rights. . 1. Copyright and Related Rights. A Work made available under CC0 may be protected by copyright and related or neighboring rights ("Copyright and Related Rights"). Copyright and Related Rights include, but are not limited to, the following: . 1. the right to reproduce, adapt, distribute, perform, display, communicate, and translate a Work; 2. moral rights retained by the original author(s) and/or performer(s); 3. publicity and privacy rights pertaining to a person's image or likeness depicted in a Work; 4. rights protecting against unfair competition in regards to a Work, subject to the limitations in paragraph 4(a), below; 5. rights protecting the extraction, dissemination, use and reuse of data in a Work; 6. database rights (such as those arising under Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, and under any national implementation thereof, including any amended or successor version of such directive); and 7. other similar, equivalent or corresponding rights throughout the world based on applicable law or treaty, and any national implementations thereof. . 2. Waiver. To the greatest extent permitted by, but not in contravention of, applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and unconditionally waives, abandons, and surrenders all of Affirmer's Copyright and Related Rights and associated claims and causes of action, whether now known or unknown (including existing as well as future claims and causes of action), in the Work . (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each member of the public at large and to the detriment of Affirmer's heirs and successors, fully intending that such Waiver shall not be subject to revocation, rescission, cancellation, termination, or any other legal or equitable action to disrupt the quiet enjoyment of the Work by the public as contemplated by Affirmer's express Statement of Purpose. . 3. Public License Fallback. Should any part of the Waiver for any reason be judged legally invalid or ineffective under applicable law, then the Waiver shall be preserved to the maximum extent permitted taking into account Affirmer's express Statement of Purpose. In addition, to the extent the Waiver is so judged Affirmer hereby grants to each affected person a royalty-free, non transferable, non sublicensable, non exclusive, irrevocable and unconditional license to exercise Affirmer's Copyright and Related Rights in the Work . (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "License"). The License shall be deemed effective as of the date CC0 was applied by Affirmer to the Work. Should any part of the License for any reason be judged legally invalid or ineffective under applicable law, such partial invalidity or ineffectiveness shall not invalidate the remainder of the License, and in such case Affirmer hereby affirms that he or she will not . (i) exercise any of his or her remaining Copyright and Related Rights in the Work or (ii) assert any associated claims and causes of action with respect to the Work, in either case contrary to Affirmer's express Statement of Purpose. . 4. Limitations and Disclaimers. . 1. No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document. 2. Affirmer offers the Work as-is and makes no representations or warranties of any kind concerning the Work, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non infringement, or the absence of latent or other defects, accuracy, or the present or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law. 3. Affirmer disclaims responsibility for clearing rights of other persons that may apply to the Work or any use thereof, including without limitation any person's Copyright and Related Rights in the Work. Further, Affirmer disclaims responsibility for obtaining any necessary consents, permissions or other rights required for any use of the Work. 4. Affirmer understands and acknowledges that Creative Commons is not a party to this document and has no duty or obligation with respect to this CC0 or use of the Work. License: GPL-1+ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 1, or (at your option) any later version. . On Debian systems, the complete text of version 1 of the GNU General Public License can be found in `/usr/share/common-licenses/GPL-1'. debian/watch0000664000000000000000000000017412154450267010231 0ustar version=3 https://metacpan.org/release/Module-Signature/ .*/Module-Signature-v?(\d[\d.]+)\.(?:tar(?:\.gz|\.bz2)?|tgz|zip) debian/rules0000775000000000000000000000023612154450267010257 0ustar #!/usr/bin/make -f TEST_FILES= $(filter-out t/3-verify.t,$(shell echo t/*.t)) %: dh $@ override_dh_auto_test: dh_auto_test -- TEST_FILES="$(TEST_FILES)"