Name of the Vulnerable Software and Affected Versions perl-Module-Signature (affected versions not specified)

Description The issue concerns faulty parsing of PGP signature boundaries in Module::Signature, which could lead to interpreting the unsigned portion of a SIGNATURE file as the signed portion. Additionally, when verifying the contents of a CPAN module, some files in the extracted tarball were ignored if not listed in the signature file, including executable files in the t/ directory. Module::Signature also used two-argument open() calls to read files from the signed manifest, allowing for the embedding of arbitrary shell commands that could execute during signature verification. Furthermore, certain modules were loaded at runtime inside the extracted module directory, potentially allowing malicious modules to load and execute from the '.' path in @INC.

Recommendations For perl-Module-Signature, update to a version that includes the security fixes for the reported issues. As a temporary workaround, consider disabling the use of Module::Signature until a patched version is available. Restrict access to the extracted module directory to minimize the risk of exploitation. Avoid using the two-argument open() calls to read files from the signed manifest until the issue is resolved.