Description
The PGP signature parsing in Module::Signature before 0.74 allows remote attackers to cause the unsigned portion of a SIGNATURE file to be treated as the signed portion via unspecified vectors.
References (5)
Core 5
Core References
Mailing List, Patch, Third Party Advisory x_refsource_misc
http://www.openwall.com/lists/oss-security/2015/04/07/1
Mailing List, Patch, Third Party Advisory x_refsource_misc
http://www.openwall.com/lists/oss-security/2015/04/23/17
Patch, Third Party Advisory x_refsource_misc
https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f
Release Notes, Vendor Advisory x_refsource_misc
https://metacpan.org/changes/distribution/Module-Signature
Patch, Release Notes, Third Party Advisory x_refsource_misc
http://ubuntu.com/usn/usn-2607-1
Scores
CVSS v3
7.5
EPSS
0.0229
EPSS Percentile
80.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-681
Status
published
Products (5)
canonical/ubuntu_linux
12.04
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
14.10
canonical/ubuntu_linux
15.04
module-signature_project/module-signature
< 0.74
Published
Nov 29, 2019
Tracked Since
Feb 18, 2026