From aab821d91b89d81f1005c3f8586b5938efa01893 Mon Sep 17 00:00:00 2001 From: brian d foy Date: Sun, 8 Sep 2024 21:02:14 -0400 Subject: [PATCH] Update for CVE-2024-45321 (App::cpanminus) --- lib/CPAN/Audit.pm | 2 +- lib/CPAN/Audit/DB.pm | 100 +++++++++++++++++++++++++++++++++++++-- lib/CPAN/Audit/DB.pm.gpg | 26 +++++----- 3 files changed, 110 insertions(+), 18 deletions(-) diff --git a/lib/CPAN/Audit.pm b/lib/CPAN/Audit.pm index 51bbd3d..9875556 100644 --- a/lib/CPAN/Audit.pm +++ b/lib/CPAN/Audit.pm @@ -14,7 +14,7 @@ use CPAN::Audit::Version; use CPAN::Audit::Query; use CPAN::Audit::DB; -our $VERSION = '20240826.002'; +our $VERSION = '20240908.001'; sub new { my( $class, %params ) = @_; diff --git a/lib/CPAN/Audit/DB.pm b/lib/CPAN/Audit/DB.pm index b1dc290..c57afea 100644 --- a/lib/CPAN/Audit/DB.pm +++ b/lib/CPAN/Audit/DB.pm @@ -1,5 +1,5 @@ -# created by util/generate at Mon Aug 26 01:28:48 2024 -# cpan-security-advisory d3ed1024fe83e5224882900d4ed8f73d63e89ad7 +# created by util/generate at Sun Sep 8 20:57:19 2024 +# cpan-security-advisory 3cfab96f380ba0e3aab9f28bc6c1a532f01e83df # =encoding utf8 @@ -19,7 +19,7 @@ package CPAN::Audit::DB; use strict; use warnings; -our $VERSION = '20240826.002'; +our $VERSION = '20240908.001'; =over 4 @@ -1259,6 +1259,25 @@ sub db { 'https://github.com/miyagawa/cpanminus/pull/638' ], 'reported' => '2020-07-30' + }, + { + 'affected_versions' => [ + '<=1.7047' + ], + 'cves' => [ + 'CVE-2024-45321' + ], + 'description' => 'The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers. +', + 'distribution' => 'App-cpanminus', + 'fixed_versions' => [], + 'id' => 'CPANSA-App-cpanminus-2024-45321', + 'references' => [ + 'https://github.com/miyagawa/cpanminus/issues/611', + 'https://github.com/miyagawa/cpanminus/pull/674', + 'https://security.metacpan.org/2024/08/26/cpanminus-downloads-code-using-insecure-http.html' + ], + 'reported' => '2024-08-27' } ], 'main_module' => 'App::cpanminus', @@ -7596,6 +7615,10 @@ sub db { { 'date' => '2024-08-18T17:03:50', 'version' => '2.37-TRIAL' + }, + { + 'date' => '2024-08-30T17:18:31', + 'version' => '2.37' } ] }, @@ -10243,6 +10266,10 @@ sub db { { 'date' => '2024-04-27T12:52:31', 'version' => '2.212' + }, + { + 'date' => '2024-08-28T15:29:28', + 'version' => '2.213' } ] }, @@ -10697,6 +10724,10 @@ sub db { { 'date' => '2024-04-27T12:55:28', 'version' => '2.212' + }, + { + 'date' => '2024-08-28T15:27:59', + 'version' => '2.213' } ] }, @@ -15129,6 +15160,38 @@ sub db { { 'date' => '2024-08-17T20:28:14', 'version' => '0.080_005' + }, + { + 'date' => '2024-08-30T18:43:56', + 'version' => '0.080_006' + }, + { + 'date' => '2024-09-01T08:32:21', + 'version' => '0.080_007' + }, + { + 'date' => '2024-09-01T09:26:40', + 'version' => '0.080_008' + }, + { + 'date' => '2024-09-01T11:23:19', + 'version' => '0.080_009' + }, + { + 'date' => '2024-09-02T14:51:29', + 'version' => '0.080_010' + }, + { + 'date' => '2024-09-03T11:32:03', + 'version' => '0.080_011' + }, + { + 'date' => '2024-09-03T18:01:58', + 'version' => '0.080_012' + }, + { + 'date' => '2024-09-08T16:12:50', + 'version' => '0.081' } ] }, @@ -19946,6 +20009,10 @@ sub db { { 'date' => '2024-08-23T17:54:09', 'version' => '1.644' + }, + { + 'date' => '2024-09-03T09:25:33', + 'version' => '1.645' } ] }, @@ -34036,7 +34103,7 @@ Resulting in a CWE-1188: Insecure Default Initialization of Resource weakness. 'severity' => 'high' } ], - 'main_module' => 'Compress::Zlib', + 'main_module' => 'IO::Compress', 'versions' => [ { 'date' => '2009-04-04T09:49:11', @@ -34341,6 +34408,10 @@ Resulting in a CWE-1188: Insecure Default Initialization of Resource weakness. { 'date' => '2024-04-27T12:55:39', 'version' => '2.212' + }, + { + 'date' => '2024-08-28T15:36:27', + 'version' => '2.213' } ] }, @@ -35578,6 +35649,10 @@ Resulting in a CWE-1188: Insecure Default Initialization of Resource weakness. { 'date' => '2024-07-14T05:05:54', 'version' => '2.088' + }, + { + 'date' => '2024-08-29T14:46:00', + 'version' => '2.089' } ] }, @@ -39322,6 +39397,10 @@ Resulting in a CWE-1188: Insecure Default Initialization of Resource weakness. { 'date' => '2024-07-15T14:48:13', 'version' => 'v2.19.1' + }, + { + 'date' => '2024-09-04T07:30:33', + 'version' => 'v2.19.2' } ] }, @@ -63681,6 +63760,14 @@ Resulting in a CWE-1188: Insecure Default Initialization of Resource weakness. { 'date' => '2024-05-26T13:07:57', 'version' => '0.89_001' + }, + { + 'date' => '2024-09-06T21:47:43', + 'version' => '0.90' + }, + { + 'date' => '2024-09-06T22:09:50', + 'version' => 'v0.901.0' } ] }, @@ -68928,6 +69015,10 @@ An attacker with limited privileges can exploit this behavior by placing cmd.exe { 'date' => '2024-07-20T20:54:48', 'version' => '5.041002' + }, + { + 'date' => '2024-08-29T13:23:40', + 'version' => '5.041003' } ] }, @@ -70968,6 +71059,7 @@ An attacker with limited privileges can exploit this behavior by placing cmd.exe 'I18N::LangTags::Detect' => 'perl', 'I18N::LangTags::List' => 'perl', 'I18N::Langinfo' => 'perl', + 'IO::Compress' => 'IO-Compress', 'IO::Compress::Adapter::Bzip2' => 'IO-Compress', 'IO::Compress::Adapter::Deflate' => 'IO-Compress', 'IO::Compress::Adapter::Identity' => 'IO-Compress', diff --git a/lib/CPAN/Audit/DB.pm.gpg b/lib/CPAN/Audit/DB.pm.gpg index c915582..b83d5db 100644 --- a/lib/CPAN/Audit/DB.pm.gpg +++ b/lib/CPAN/Audit/DB.pm.gpg @@ -1,16 +1,16 @@ -----BEGIN PGP SIGNATURE----- -iQIzBAABCAAdFiEEdaq0LLoNfzfw1oht+D+NXoeLYEEFAmbMEpAACgkQ+D+NXoeL -YEGtng/6AiMmsncv+56E+kdBG0N4OQybxyRsTy4lmqqJYgKZ8NjtsNbNZawT393S -lGrhdPGPQK8CzLU4H1MGWdKhWv3rwfD+Xf5GWQ85YbRtkAl0gGQVl9LX6c0pY85g -hauHzIqhaHO7lM75KF+NS+vsPsqzEy/pIQ5XJHytZCs5rHzsaZV6nzs7P4tIYgBK -Kri3NpE93D25ssYjbhMm/R0bHVjfvTUZnXkplhKBn0M1xIYuPz3MEWXrdqwOI8qb -xhig0Ly68KgmB4bhKwG+xc4Y4IChW6Mgr3rDzBjnPjKaQUVsPjsRhNeGi4K1ILJU -zIBWgvHwUiFA0azoIYNeTclEQAxyUCR3m4297RSe7+XasBBQShAk3D17v9K1pCok -YHKujZI5HYJ34GoDEmD6A+R5UMdOxVC3oS1LgV+uJUZp6yYAUGgjEN0qrLAUlQRr -2F8Bgh86G4GzQlhh30sc7c2FL67g8rlj5zr67mUlz63Z4NPF+eV5d1vReocaJJQA -aPiWfLhIoW66BMMm46ofcFy95rleWBXA+ETk0gSM+mB0fPQmK0W7pyYy1FiE9JK+ -wYJCWic8wbqep8HTSpN8zVLd/FuHNZF9pVnpDEhc5GxVwJrXgTcyq8KPs8tnSulZ -U2aAElutbx1S1QfbEkE/YxYUmdVjOPX6pOJHjOClWf8hChkteMM= -=o1vj +iQIzBAABCAAdFiEEdaq0LLoNfzfw1oht+D+NXoeLYEEFAmbeR+8ACgkQ+D+NXoeL +YEHtTw/+IaQKc8U7w/SfNCU+vLe3eZgEpz1tqKr9ETtbEjn5fKyfxohYFbIsuUze +Q1Z7TIXxlVfnUV3yo2CQQU5tZK9FEv9IQwoGN109lOImLo++WJ+ecx/75ykZGo/X +sFZ3BReGdHeWeQ4qbi/ZV8mRuxf37kGVir5IyVDjsZNSk7aTZpURQU6D1Xqctjtz +GWfSTpzOcmD+GK609EAG8ZMlCeHS8N0PhshuZ6DFCuiZGU9DO05Ghg0ixy/gqPUX +P3/w31eCbQhT3TG/eekyICdX+yM7X06Z+oo3DDG09jgfZWmfft6+XQ0yga6QzfpQ +I+BMpVeY4pLr9Unbv/zX3rCbBTI1axScH/fctWiUAWF8IP0yjI0m7AQjw6elcUWa +JLojAJ3oIjyZX+TkJ2YSH1ZekHv4w5gcrOsV5MPAht0Ot/lv+Of2oRIFFjifdW9/ ++zygvChcqPEmca+l/i8eH+qdqU8W2YRrC/mj0rxNJSN7Ce9jcKuBKczLICRejR46 +Z6+pmUwa3Hqn2PWppbtTBOzDdrsShcBZlD4YTN4OPxs1AjcrZhz7ANBLEPTVIXN6 +sn2Qoy3AikrXhZ80uznVVUzs3WLIPnmBquUFMsZhWXoyudDOZKtSFXYMaM8C9Zaq +o9wNb0mB70jWL5zKiYKuSdv0BIF5ourK2sqQbKL2te9E+MvKlpE= +=x1Bs -----END PGP SIGNATURE-----