[libmodule-signature-perl] 03/04: Backport CVE-2015-3406_CVE-2015-3407_CVE-2015-3408 to squeeze

Santiago Ruano Rincón santiago at moszumanska.debian.org
Tue Jun 30 10:33:26 UTC 2015 

This is an automated email from the git hooks/post-receive script.

santiago pushed a commit to branch squeeze-lts
in repository libmodule-signature-perl.

commit d071e946422a3e9109bbd24a814db1ad770efce4
Author: Santiago Ruano Rincón <santiago at debian.org>
Date:   Mon Jun 29 17:17:41 2015 +0200

    Backport CVE-2015-3406_CVE-2015-3407_CVE-2015-3408 to squeeze
---
 ...CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch | 59 +++++++++++++---------
 1 file changed, 36 insertions(+), 23 deletions(-)

diff --git a/debian/patches/CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch b/debian/patches/CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch
index 80f996f..7af1eab 100644
--- a/debian/patches/CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch
+++ b/debian/patches/CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch
@@ -21,35 +21,48 @@ Applied-Upstream: 0.75
 
 --- a/Makefile.PL
 +++ b/Makefile.PL
-@@ -9,6 +9,7 @@ readme_from     'lib/Module/Signature.pm
+@@ -9,6 +9,7 @@
  repository      'http://github.com/audreyt/module-signature';
  install_script  'script/cpansign';
- build_requires  'Test::More', 0, 'IPC::Run', 0;
+ build_requires  'Test::More';
 +requires        'File::Temp';
  
  # On Win32 (excluding cygwin) we know that IO::Socket::INET,
  # which is needed for keyserver stuff, doesn't work. In fact
 --- a/lib/Module/Signature.pm
 +++ b/lib/Module/Signature.pm
-@@ -57,6 +57,8 @@ sub _cipher_map {
-     my @lines = split /\015?\012/, $sigtext;
-     my %map;
-     for my $line (@lines) {
-+        last if $line eq '-----BEGIN PGP SIGNATURE-----';
-+        next if $line =~ /^---/ .. $line eq '';
-         my($cipher,$digest,$file) = split " ", $line, 3;
-         return unless defined $file;
-         $map{$file} = [$cipher, $digest];
-@@ -65,7 +67,7 @@ sub _cipher_map {
- }
- 
+@@ -52,8 +52,20 @@
+ $AutoKeyRetrieve    = 1;
+ $CanKeyRetrieve     = undef;
+ 
++sub _cipher_map {
++    my($sigtext) = @_;
++    my @lines = split /\015?\012/, $sigtext;
++    my %map;
++    for my $line (@lines) {
++        my($cipher,$digest,$file) = split " ", $line, 3;
++        return unless defined $file;
++        $map{$file} = [$cipher, $digest];
++    }
++    return \%map;
++}
++
  sub verify {
 -    my %args = ( skip => 1, @_ );
 +    my %args = ( @_ );
      my $rv;
  
      (-r $SIGNATURE) or do {
-@@ -177,6 +179,11 @@ sub _fullcheck {
+@@ -66,7 +78,7 @@
+         return SIGNATURE_MALFORMED;
+     };
+ 
+-    (my ($cipher) = ($sigtext =~ /^(\w+) /)) or do {
++    (my ($cipher) = _cipher_map($sigtext)) or do {
+         warn "==> MALFORMED Signature file! <==\n";
+         return SIGNATURE_MALFORMED;
+     };
+@@ -160,6 +172,11 @@
          ($mani, $file) = ExtUtils::Manifest::fullcheck();
      }
      else {
@@ -61,7 +74,7 @@ Applied-Upstream: 0.75
          ($mani, $file) = ExtUtils::Manifest::fullcheck();
      }
  
-@@ -222,6 +229,11 @@ sub _verify_gpg {
+@@ -199,6 +216,11 @@
  
      my $keyserver = _keyserver($version);
  
@@ -73,7 +86,7 @@ Applied-Upstream: 0.75
      my @quiet = $Verbose ? () : qw(-q --logger-fd=1);
      my @cmd = (
          qw(gpg --verify --batch --no-tty), @quiet, ($KeyServer ? (
-@@ -229,7 +241,7 @@ sub _verify_gpg {
+@@ -206,7 +228,7 @@
              ($AutoKeyRetrieve and $version ge '1.0.7')
                  ? '--keyserver-options=auto-key-retrieve'
                  : ()
@@ -82,7 +95,7 @@ Applied-Upstream: 0.75
      );
  
      my $output = '';
-@@ -241,6 +253,7 @@ sub _verify_gpg {
+@@ -218,6 +240,7 @@
          my $cmd = join ' ', @cmd;
          $output = `$cmd`;
      }
@@ -90,7 +103,7 @@ Applied-Upstream: 0.75
  
      if( $? ) {
          print STDERR $output;
-@@ -269,7 +282,7 @@ sub _verify_crypt_openpgp {
+@@ -246,7 +269,7 @@
      my $pgp = Crypt::OpenPGP->new(
          ($KeyServer) ? ( KeyServer => $KeyServer, AutoKeyRetrieve => $AutoKeyRetrieve ) : (),
      );
@@ -99,7 +112,7 @@ Applied-Upstream: 0.75
          or die $pgp->errstr;
  
      return SIGNATURE_BAD if (!$rv->{Validity} and $AutoKeyRetrieve);
-@@ -292,32 +305,35 @@ sub _read_sigfile {
+@@ -269,32 +292,35 @@
      my $well_formed;
  
      local *D;
@@ -142,7 +155,7 @@ Applied-Upstream: 0.75
  
      return $ok if $str1 eq $str2;
  
-@@ -328,7 +344,7 @@ sub _compare {
+@@ -305,7 +331,7 @@
      }
      else {
          local (*D, *S);
@@ -151,7 +164,7 @@ Applied-Upstream: 0.75
          open D, "| diff -u $SIGNATURE -" or (warn "Could not call diff: $!", return SIGNATURE_MISMATCH);
          while (<S>) {
              print D $_ if (1 .. /^-----BEGIN PGP SIGNED MESSAGE-----/);
-@@ -391,9 +407,9 @@ sub _sign_gpg {
+@@ -368,9 +394,9 @@
          die "Cannot find $sigfile.tmp, signing aborted.\n";
      };
  
@@ -163,7 +176,7 @@ Applied-Upstream: 0.75
          unlink "$sigfile.tmp";
          die "Could not write to $sigfile: $!";
      };
-@@ -576,7 +592,7 @@ sub _mkdigest_files {
+@@ -531,7 +557,7 @@
          }
          else {
              local *F;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libmodule-signature-perl.git

More information about the Pkg-perl-cvs-commits mailing list