Bug 836040 – VUL-1: Module::Metadata: $Version code execution issue

Bug 836040 - (CVE-2013-1437) VUL-1: Module::Metadata: $Version code execution issue

(CVE-2013-1437)
Summary:	VUL-1: Module::Metadata: $Version code execution issue

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Michael Schröder
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2013-08-22 07:31 UTC by Matthias Weckbecker
Modified:	2015-03-30 14:48 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Weckbecker 2013-08-22 07:31:30 UTC

The documentation of Module::Metadata claims that the module does not execute
any unsafe code when fetching meta information about a .pm file:

     "This module provides a standard way to gather metadata about a .pm file
      without executing unsafe code."

This is, however, not true because it evaluates a small amount of code in the
$Version variable.

Changelog:

  https://metacpan.org/changes/distribution/Module-Metadata

Comment 1 Matthias Weckbecker 2013-08-22 07:36:03 UTC

Note: This does not affect any SLE. openSUSE 12.x is affected. Basically all
versions with perl > v5.13.9.

Comment 2 Johannes Segitz 2015-03-30 14:48:13 UTC

is CVE-2013-1437, only in Factory. Fixed