CVE-2013-1437

NameCVE-2013-1437
DescriptionEval injection vulnerability in the Module-Metadata module before 1.000015 for Perl allows remote attackers to execute arbitrary Perl code via the $Version value.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libmodule-metadata-perl (PTS)bullseye1.000037-1fixed
bookworm1.000037-2fixed
forky, sid, trixie1.000038-1fixed
perl (PTS)bullseye5.32.1-4+deb11u3fixed
bullseye (security)5.32.1-4+deb11u4fixed
bookworm5.36.0-7+deb12u3fixed
bookworm (security)5.36.0-7+deb12u2fixed
forky, sid, trixie5.40.1-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libmodule-metadata-perlsourcewheezy1.000009-1+deb7u1
libmodule-metadata-perlsource(unstable)1.000015-1
perlsourcesqueeze(not affected)
perlsourcewheezy(not affected)
perlsource(unstable)5.18.1-2

Notes

[wheezy] - perl <not-affected> (Bug was introduced later)
[squeeze] - perl <not-affected> (Does not yet contain Module::Metadata)
this is by 'design', but previous to version Module::Metadata 1.000015
the statement was This module provides a standard way to gather metadata
about a .pm file *without* executing unsafe code.
Search for package or bug name: Reporting problems