[libmodule-signature-perl] 03/04: Backport CVE-2015-3406_CVE-2015-3407_CVE-2015-3408 to squeeze
Santiago Ruano Rincón
santiago at moszumanska.debian.org
Tue Jun 30 10:33:26 UTC 2015
This is an automated email from the git hooks/post-receive script.
santiago pushed a commit to branch squeeze-lts
in repository libmodule-signature-perl.
commit d071e946422a3e9109bbd24a814db1ad770efce4
Author: Santiago Ruano Rincón <santiago at debian.org>
Date: Mon Jun 29 17:17:41 2015 +0200
Backport CVE-2015-3406_CVE-2015-3407_CVE-2015-3408 to squeeze
---
...CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch | 59 +++++++++++++---------
1 file changed, 36 insertions(+), 23 deletions(-)
diff --git a/debian/patches/CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch b/debian/patches/CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch
index 80f996f..7af1eab 100644
--- a/debian/patches/CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch
+++ b/debian/patches/CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch
@@ -21,35 +21,48 @@ Applied-Upstream: 0.75
--- a/Makefile.PL
+++ b/Makefile.PL
-@@ -9,6 +9,7 @@ readme_from 'lib/Module/Signature.pm
+@@ -9,6 +9,7 @@
repository 'http://github.com/audreyt/module-signature';
install_script 'script/cpansign';
- build_requires 'Test::More', 0, 'IPC::Run', 0;
+ build_requires 'Test::More';
+requires 'File::Temp';
# On Win32 (excluding cygwin) we know that IO::Socket::INET,
# which is needed for keyserver stuff, doesn't work. In fact
--- a/lib/Module/Signature.pm
+++ b/lib/Module/Signature.pm
-@@ -57,6 +57,8 @@ sub _cipher_map {
- my @lines = split /\015?\012/, $sigtext;
- my %map;
- for my $line (@lines) {
-+ last if $line eq '-----BEGIN PGP SIGNATURE-----';
-+ next if $line =~ /^---/ .. $line eq '';
- my($cipher,$digest,$file) = split " ", $line, 3;
- return unless defined $file;
- $map{$file} = [$cipher, $digest];
-@@ -65,7 +67,7 @@ sub _cipher_map {
- }
-
+@@ -52,8 +52,20 @@
+ $AutoKeyRetrieve = 1;
+ $CanKeyRetrieve = undef;
+
++sub _cipher_map {
++ my($sigtext) = @_;
++ my @lines = split /\015?\012/, $sigtext;
++ my %map;
++ for my $line (@lines) {
++ my($cipher,$digest,$file) = split " ", $line, 3;
++ return unless defined $file;
++ $map{$file} = [$cipher, $digest];
++ }
++ return \%map;
++}
++
sub verify {
- my %args = ( skip => 1, @_ );
+ my %args = ( @_ );
my $rv;
(-r $SIGNATURE) or do {
-@@ -177,6 +179,11 @@ sub _fullcheck {
+@@ -66,7 +78,7 @@
+ return SIGNATURE_MALFORMED;
+ };
+
+- (my ($cipher) = ($sigtext =~ /^(\w+) /)) or do {
++ (my ($cipher) = _cipher_map($sigtext)) or do {
+ warn "==> MALFORMED Signature file! <==\n";
+ return SIGNATURE_MALFORMED;
+ };
+@@ -160,6 +172,11 @@
($mani, $file) = ExtUtils::Manifest::fullcheck();
}
else {
@@ -61,7 +74,7 @@ Applied-Upstream: 0.75
($mani, $file) = ExtUtils::Manifest::fullcheck();
}
-@@ -222,6 +229,11 @@ sub _verify_gpg {
+@@ -199,6 +216,11 @@
my $keyserver = _keyserver($version);
@@ -73,7 +86,7 @@ Applied-Upstream: 0.75
my @quiet = $Verbose ? () : qw(-q --logger-fd=1);
my @cmd = (
qw(gpg --verify --batch --no-tty), @quiet, ($KeyServer ? (
-@@ -229,7 +241,7 @@ sub _verify_gpg {
+@@ -206,7 +228,7 @@
($AutoKeyRetrieve and $version ge '1.0.7')
? '--keyserver-options=auto-key-retrieve'
: ()
@@ -82,7 +95,7 @@ Applied-Upstream: 0.75
);
my $output = '';
-@@ -241,6 +253,7 @@ sub _verify_gpg {
+@@ -218,6 +240,7 @@
my $cmd = join ' ', @cmd;
$output = `$cmd`;
}
@@ -90,7 +103,7 @@ Applied-Upstream: 0.75
if( $? ) {
print STDERR $output;
-@@ -269,7 +282,7 @@ sub _verify_crypt_openpgp {
+@@ -246,7 +269,7 @@
my $pgp = Crypt::OpenPGP->new(
($KeyServer) ? ( KeyServer => $KeyServer, AutoKeyRetrieve => $AutoKeyRetrieve ) : (),
);
@@ -99,7 +112,7 @@ Applied-Upstream: 0.75
or die $pgp->errstr;
return SIGNATURE_BAD if (!$rv->{Validity} and $AutoKeyRetrieve);
-@@ -292,32 +305,35 @@ sub _read_sigfile {
+@@ -269,32 +292,35 @@
my $well_formed;
local *D;
@@ -142,7 +155,7 @@ Applied-Upstream: 0.75
return $ok if $str1 eq $str2;
-@@ -328,7 +344,7 @@ sub _compare {
+@@ -305,7 +331,7 @@
}
else {
local (*D, *S);
@@ -151,7 +164,7 @@ Applied-Upstream: 0.75
open D, "| diff -u $SIGNATURE -" or (warn "Could not call diff: $!", return SIGNATURE_MISMATCH);
while (<S>) {
print D $_ if (1 .. /^-----BEGIN PGP SIGNED MESSAGE-----/);
-@@ -391,9 +407,9 @@ sub _sign_gpg {
+@@ -368,9 +394,9 @@
die "Cannot find $sigfile.tmp, signing aborted.\n";
};
@@ -163,7 +176,7 @@ Applied-Upstream: 0.75
unlink "$sigfile.tmp";
die "Could not write to $sigfile: $!";
};
-@@ -576,7 +592,7 @@ sub _mkdigest_files {
+@@ -531,7 +557,7 @@
}
else {
local *F;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libmodule-signature-perl.git
More information about the Pkg-perl-cvs-commits
mailing list