Gentoo Archives: gentoo-announce

From: Mikle Kolyada <zlogene@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201403-08 ] PlRPC: Arbitrary code execution
Date: Thu, 27 Mar 2014 11:07:54
Message-Id: 533406FA.9070503@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201403-08
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: PlRPC: Arbitrary code execution
9 Date: March 27, 2014
10 Bugs: #497692
11 ID: 201403-08
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 PlRPC uses Storable which allows for code execution prior to
19 Authentication
20
21 Background
22 ==========
23
24 The Perl RPC Module is a Perl module that implements IDL-free RPCs.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 dev-perl/PlRPC < 0.202.0-r2 >= 0.202.0-r2
33
34 Description
35 ===========
36
37 PlRPC uses Storable module for serialization and deserialization of
38 untrusted data. Deserialized data can contain objects which can lead to
39 loading of foreign modules, and possible execution of arbitrary code.
40
41 Impact
42 ======
43
44 A remote attacker could possibly execute
45 arbitrary code with the privileges of the process, or cause a Denial of
46 Service condition.
47
48 Workaround
49 ==========
50
51 External authentication mechanism can be used with PlRPC such as TLS or
52 IPSEC.
53
54 Resolution
55 ==========
56
57 All PlRPC users should upgrade to the latest version:
58
59 # emerge --sync
60 # emerge --ask --oneshot --verbose ">=dev-perl/PlRPC-0.202.0-r2"
61
62 References
63 ==========
64
65 [ 1 ] CVE-2013-7284
66 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7284
67
68 Availability
69 ============
70
71 This GLSA and any updates to it are available for viewing at
72 the Gentoo Security Website:
73
74 http://security.gentoo.org/glsa/glsa-201403-08.xml
75
76 Concerns?
77 =========
78
79 Security is a primary focus of Gentoo Linux and ensuring the
80 confidentiality and security of our users' machines is of utmost
81 importance to us. Any security concerns should be addressed to
82 security@g.o or alternatively, you may file a bug at
83 https://bugs.gentoo.org.
84
85 License
86 =======
87
88 Copyright 2014 Gentoo Foundation, Inc; referenced text
89 belongs to its owner(s).
90
91 The contents of this document are licensed under the
92 Creative Commons - Attribution / Share Alike license.
93
94 http://creativecommons.org/licenses/by-sa/2.5
95
96 --
97 Mikle Kolyada
98 Gentoo Linux Developer

Attachments

File name MIME type
signature.asc application/pgp-signature