[Bug 1051108] CVE-2013-7284 perl-PlRPC: pre-auth remote code execution
bugzilla at redhat.com
bugzilla at redhat.com
Fri Jan 10 08:54:08 UTC 2014
https://bugzilla.redhat.com/show_bug.cgi?id=1051108
Petr Pisar <ppisar at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ratulg at redhat.com
Flags| |needinfo?(ratulg at redhat.com
| |)
--- Comment #3 from Petr Pisar <ppisar at redhat.com> ---
(In reply to Vincent Danen from comment #2)
> The actual proposed patch to upstream is here:
>
> *
> https://rt.cpan.org/Public/Ticket/Attachment/1293961/685696/0001-Security-
> notice-on-Storable-and-reply-attack.patch
>
> Based on the discussion in bug #1030572, there is no real "fix" for this as
> it seems that Storable deserialization is exposed prior to password-based
> authentication (see how AcceptUser is called in the server code).
>
> MITRE assigned CVE-2013-7284 to this issue.
Is amending the PlRPC documentation with this patch sufficient to close this
bug, or should we keep this open until a real fix in the code (extension of
Storable module and utilizing it in PlRPC) will be available?
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=0Io151sBRM&a=cc_unsubscribe
More information about the perl-devel
mailing list