Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 497692 (CVE-2013-7284)

Summary: <dev-perl/PlRPC-0.202.0-r2: pre-auth remote code execution (CVE-2013-7284)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: perl
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1051108
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-01-10 09:46:47 UTC
From ${URL} :

PlRPC is a Perl module that implements IDL-free RPCs. It is intended for cross-domain applications, but it 
fails to achieve that goal because it uses Storable, which is known to be insecure when deserializing 
(thawing) untrusted data. User name and password are transmitted using Storable, so code execution can 
happen before authentication.

The patches that exist just document the issues and are not real fixes.

References:
http://seclists.org/oss-sec/2014/q1/56
https://rt.cpan.org/Public/Bug/Display.html?id=90474

Commit/Patch:
http://pkgs.fedoraproject.org/cgit/perl-PlRPC.git/commit/?id=b9497b8d780a54ff5be6661c5f24d70135e0bb79



>The actual proposed patch to upstream is here:

* 
https://rt.cpan.org/Public/Ticket/Attachment/1293961/685696/0001-Security-notice-on-Storable-and-reply-attack.patch

Based on the discussion in bug #1030572, there is no real "fix" for this as it seems that Storable 
deserialization is exposed prior to password-based authentication (see how AcceptUser is called in the 
server code).

MITRE assigned CVE-2013-7284 to this issue.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-19 17:59:14 UTC
Upstream has no releases since 17 Jun 2007. revbump with a patch done.
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-19 18:05:20 UTC
Arches, please test and mark stable:

=dev-perl/PlRPC-0.202.0-r2

target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2014-01-20 01:15:49 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2014-01-20 15:58:49 UTC
ppc stable
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2014-01-21 00:09:54 UTC
x86 stable

Note that the new patch only changes documentation.
Comment 6 Agostino Sarubbo gentoo-dev 2014-01-22 18:27:22 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-01-26 11:46:50 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-01-26 11:48:51 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-01-26 11:56:57 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-01-26 11:59:21 UTC
sparc stable
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-26 12:39:14 UTC
alpha stable
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-26 12:54:05 UTC
Cleanup done
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2014-01-28 06:15:35 UTC
GLSA Request Filed
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-03-27 11:06:04 UTC
This issue was resolved and addressed in
 GLSA 201403-08 at http://security.gentoo.org/glsa/glsa-201403-08.xml
by GLSA coordinator Mikle Kolyada (Zlogene).