From ${URL} : PlRPC is a Perl module that implements IDL-free RPCs. It is intended for cross-domain applications, but it fails to achieve that goal because it uses Storable, which is known to be insecure when deserializing (thawing) untrusted data. User name and password are transmitted using Storable, so code execution can happen before authentication. The patches that exist just document the issues and are not real fixes. References: http://seclists.org/oss-sec/2014/q1/56 https://rt.cpan.org/Public/Bug/Display.html?id=90474 Commit/Patch: http://pkgs.fedoraproject.org/cgit/perl-PlRPC.git/commit/?id=b9497b8d780a54ff5be6661c5f24d70135e0bb79 >The actual proposed patch to upstream is here: * https://rt.cpan.org/Public/Ticket/Attachment/1293961/685696/0001-Security-notice-on-Storable-and-reply-attack.patch Based on the discussion in bug #1030572, there is no real "fix" for this as it seems that Storable deserialization is exposed prior to password-based authentication (see how AcceptUser is called in the server code). MITRE assigned CVE-2013-7284 to this issue. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Upstream has no releases since 17 Jun 2007. revbump with a patch done.
Arches, please test and mark stable: =dev-perl/PlRPC-0.202.0-r2 target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Stable for HPPA.
ppc stable
x86 stable Note that the new patch only changes documentation.
amd64 stable
arm stable
ia64 stable
ppc64 stable
sparc stable
alpha stable
Cleanup done
GLSA Request Filed
This issue was resolved and addressed in GLSA 201403-08 at http://security.gentoo.org/glsa/glsa-201403-08.xml by GLSA coordinator Mikle Kolyada (Zlogene).