Bug 836040 - (CVE-2013-1437) VUL-1: Module::Metadata: $Version code execution issue
VUL-1: Module::Metadata: $Version code execution issue
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Michael Schröder
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2013-08-22 07:31 UTC by Matthias Weckbecker
Modified: 2015-03-30 14:48 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2013-08-22 07:31:30 UTC
The documentation of Module::Metadata claims that the module does not execute
any unsafe code when fetching meta information about a .pm file:

     "This module provides a standard way to gather metadata about a .pm file
      without executing unsafe code."

This is, however, not true because it evaluates a small amount of code in the
$Version variable.


Comment 1 Matthias Weckbecker 2013-08-22 07:36:03 UTC
Note: This does not affect any SLE. openSUSE 12.x is affected. Basically all
versions with perl > v5.13.9.
Comment 2 Johannes Segitz 2015-03-30 14:48:13 UTC
is CVE-2013-1437, only in Factory. Fixed