Security bump wrt byg #497692

Package-Manager: portage-2.2.7/cvs/Linux x86_64
Manifest-Sign-Key: 0xC42EB5D6

4 files changed, 151 insertions, 7 deletions

diff --git a/dev-perl/PlRPC/ChangeLog b/dev-perl/PlRPC/ChangeLog
index 7cceb98fc49d..5fff7af979ae 100644
--- a/dev-perl/PlRPC/ChangeLog
+++ b/dev-perl/PlRPC/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for dev-perl/PlRPC
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-perl/PlRPC/ChangeLog,v 1.65 2014/01/15 20:41:32 zlogene Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-perl/PlRPC/ChangeLog,v 1.66 2014/01/19 17:55:01 zlogene Exp $
+
+*PlRPC-0.202.0-r2 (19 Jan 2014)
+
+  19 Jan 2014; Mikle Kolyada <zlogene@gentoo.org> +PlRPC-0.202.0-r2.ebuild,
+  +files/Security-notice-on-Storable-and-reply-attack.patch:
+  Security bump wrt byg #497692
 
   15 Jan 2014; Mikle Kolyada <zlogene@gentoo.org> -PlRPC-0.202.0.ebuild,
   PlRPC-0.202.0-r1.ebuild:
diff --git a/dev-perl/PlRPC/Manifest b/dev-perl/PlRPC/Manifest
index bf14b70fdf76..b90a68b5ad9e 100644
--- a/dev-perl/PlRPC/Manifest
+++ b/dev-perl/PlRPC/Manifest
@@ -1,17 +1,19 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256
 
+AUX Security-notice-on-Storable-and-reply-attack.patch 3844 SHA256 8b5688a6e65dc42cff3194be92e80b37d34322b20995a0daf6f4978ad6f46ad0 SHA512 21b3db796b34d994d4d967fc69af680f6d5281001829145aa7765b7ef9324cfd021f277358aabb820ef1496d0b8ffe0611fcfa0bf697709b4defd0843837e398 WHIRLPOOL 1125dc3ad9983a3f21cec95999de7ca3e07099724711878eaa1b43c671cff1f77f69abea6d4abbeb20645ade153729612f39fdac10682432e5e265a13002ca6c
 AUX perldoc-remove.patch 258 SHA256 5947de78f719430a4aeb627b00af873db14a5eea4ee7588d1c84c43f5307771e SHA512 e2fdf9d64b6e8a76eedbbb2eb7677538d3bae0d3eb077ce4f12e8689f39622417532dc51525d9892cb8a990015b01b098df11e8fbb492755f0ba64d26d025ccf WHIRLPOOL 4516781e004a9da9ef8d0de60dcb0120192587efa5ff6d31bfe021412f6045936b9413ff494a2d3d230a9f47eb6536a2f1b2da08addaf5e98dd29cab7f909878
 DIST PlRPC-0.2020.tar.gz 18229 SHA256 606b367cc52ea8ab2e93404ddd50ccb65e6e5c42ebd6cf4def71f4edf684506f SHA512 2c79c5c27bce7027561f1968023ae4307778f291caa9291fee779537d047a35bb4bd5928fe2b343a2b09dbdcf6450239d79c6898018ea880619a7c69a1498a86 WHIRLPOOL e53cbca963e9ce3611e663905442855195d341c645e9b095300875803ba98c10741dd21810c5db0d64f59c52c5c4e0ecd789459f940c8ef9f7762cfd98350160
 EBUILD PlRPC-0.202.0-r1.ebuild 922 SHA256 34d470315890169ca6fbc55f9499542ba8bff2fa9a0a20fd98e2239c4f093d5d SHA512 98a894680a67d4863d772a1927c9dc93d590a15a64c3873cbc689fbbfb87d1354f5809b10a55a9db382fdfe79f14c4525ac1c0a0a27defc3943d53b33d4c64df WHIRLPOOL c242d1dfec7e6a4315f89be35b73406f516d38befda3659f1c4b08887785dadb0c74cbd46d9fe1a13ced2afeeb1179ee7eefae7140a226af085816b2f0428320
-MISC ChangeLog 7305 SHA256 1fea93df987934148ded344ca49e5eb65739be0c8b52b1f9a8cfdd4a3b7c3f1b SHA512 c334583e1a4747b896fec432d3b3c9242c58645b17a21e668e1e998517c346c129e248fd158ae3eae7e890a0d900ae9609a17479b1728a9cb829680924cfce57 WHIRLPOOL ff8ed2dd0e1b7f31c2a682fdffd3a270112b8e876071f0fce5af4de5fd7caa9a795536e48c9fad34faa087f95de4e07192a2b4b9a019f0a9f76432b3d8be9874
+EBUILD PlRPC-0.202.0-r2.ebuild 998 SHA256 980ada5c8e05ee90d35111b944573ace152df97ed555b38bcdbc8cba3937e16b SHA512 6cd9afe44a865a2ca881c2527e250f85b68217c93db81ecadfd51476bfa18ac0372514568d519bb157c26c0c4dcadf32e1b811b99429fec886209223c06373c8 WHIRLPOOL 556314209f4ce82b4e0ae06dbbab14f941e79852ae5b3d855cc7e33f60f44b31f24fec0894e65a84186fb20b8e44152423de8185ebaed90d993a51b6593be2a7
+MISC ChangeLog 7508 SHA256 5ae911e5633e3b14daef7ab080d773c4a439963dd3d17152713fb41890339049 SHA512 1eb792c4e4e4cef49b7afe828e8168b22ae9b1f78b30482cc72659c2ffe2696025d674d40ef709fb2304c01c46da0d3632978422f4a729b6b8c8ede884d8466d WHIRLPOOL b170d37903507fc46d1209fbce5a2ae7e6d6a720a85284ccaadd44595d42cb239cd184f0be2ca0e46f62683848f5dd73ce86b2b3b8017b6910c8aca7a4537977
 MISC metadata.xml 677 SHA256 82d506de4ef438bacc4fb5ecb5f192d3817162782c5ad95b51c68c2b74408181 SHA512 bea6dd65f4ea179f2868a94f6f7c80ca3ba3f95c5de576d3353bcbc9b71424379f0564b3c246a3300385bf8c8fa1f9241fe49c8ceecee3694f6978aa7e797097 WHIRLPOOL 7104323f8ebc58870c5e2fc0571daec9b909e9322398d63005a1562d45ba5a50fdd91110788dc7454301d038ac177ebcdfa87380f9579b9e7e1d1e425956b5a7
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
-iJwEAQEIAAYFAlLW8+IACgkQG9wOWsQutdbbbQQAzd+BfDJzIw9fLpyfcDxqEg7a
-fcJz3a/u9J4QazpE53qz1hZyz6GMIBvzNmRaFFLctzpkazaKwG8txd8CByo+40mV
-ZRg8YHe4gqdpREYv+uvfHzYGMG20Jm4EEQWdhtUXDwLcvWO1sZsOPx/SJVUXlOTf
-9Iw3nrOlgaVqIuPKNiM=
-=Cy0c
+iJwEAQEIAAYFAlLcEtcACgkQG9wOWsQutdZRIgQAheQWe+MQJuVyc+oRCjsygcWL
+PZokqoeTqnYBf9bN6nDrkSAM1I16BPTEME8fid5RXAtBn9G99NnFxjGR0hupG+jg
+TE0rbTIjFDr1f5MYWPkttuVRSZdtOZLEFcDsazfkfgWKYiiiM+eDmTuY6/yLpqyT
+fxpSIRpLNLfj2SkJwac=
+=xtHL
 -----END PGP SIGNATURE-----
diff --git a/dev-perl/PlRPC/PlRPC-0.202.0-r2.ebuild b/dev-perl/PlRPC/PlRPC-0.202.0-r2.ebuild
new file mode 100644
index 000000000000..1c6faaef1900
--- /dev/null
+++ b/dev-perl/PlRPC/PlRPC-0.202.0-r2.ebuild
@@ -0,0 +1,31 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-perl/PlRPC/PlRPC-0.202.0-r2.ebuild,v 1.1 2014/01/19 17:55:01 zlogene Exp $
+
+EAPI=5
+
+MODULE_AUTHOR=MNOONING
+MODULE_SECTION=${PN}
+MODULE_VERSION=0.2020
+inherit perl-module
+
+S=${WORKDIR}/${PN}
+
+DESCRIPTION="The Perl RPC Module"
+
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~x86-interix ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE=""
+
+RDEPEND=">=virtual/perl-Storable-1.0.7
+	>=dev-perl/Net-Daemon-0.34"
+DEPEND="${RDEPEND}"
+
+PATCHES=( "${FILESDIR}/perldoc-remove.patch"
+	  "${FILESDIR}/Security-notice-on-Storable-and-reply-attack.patch" )
+
+src_test() {
+	PERL_DL_NONLAZY=1 /usr/bin/perl \
+		"-MExtUtils::Command::MM" \
+		"-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t
+}
diff --git a/dev-perl/PlRPC/files/Security-notice-on-Storable-and-reply-attack.patch b/dev-perl/PlRPC/files/Security-notice-on-Storable-and-reply-attack.patch
new file mode 100644
index 000000000000..877e7bc816dc
--- /dev/null
+++ b/dev-perl/PlRPC/files/Security-notice-on-Storable-and-reply-attack.patch
@@ -0,0 +1,105 @@
+From 29f5ad4805a04e4c4fd18795f7153798c80a46ce Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 18 Nov 2013 12:20:52 +0100
+Subject: [PATCH] Security notice on Storable and reply attack
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ README              | 16 ++++++++++++++++
+ lib/RPC/PlServer.pm | 15 +++++++++++++++
+ 2 files changed, 31 insertions(+)
+
+diff --git a/README b/README
+index 8a68657..48a33e4 100644
+--- a/README
++++ b/README
+@@ -204,6 +204,7 @@ EXAMPLE
+         require RPC::PlServer;
+         require MD5;
+ 
++
+         package MD5_Server;  # Clients need to request application
+                              # "MD5_Server"
+ 
+@@ -245,6 +246,10 @@ SECURITY
+     that I missed something. Security was a design goal, but not *the*
+     design goal. (A well known problem ...)
+ 
++    Due to implementation of PlRPC, it's hard to use internal authentication
++    mechanisms properly to achieve secured remote calls. Therefore users are
++    advised to use an external authentication mechanism like TLS or IPsec.
++
+     I highly recommend the following design principles:
+ 
+   Protection against "trusted" users
+@@ -263,6 +268,14 @@ SECURITY
+     Be restrictive
+         Think twice, before you give a client access to a method.
+ 
++    Use of Storable
++        Storable module used for serialization and deserialization
++        underneath is inherently insecure. Deserialized data can contain
++        objects which lead to loading foreign modules and executing possible
++        attached destructors. Do not accept host-based unauthorized
++        connections. The Storable module is exercised before checking user
++        password.
++
+     perlsec
+         And just in case I forgot it: Read the "perlsec" man page. :-)
+ 
+@@ -283,6 +296,9 @@ SECURITY
+         authorized, you should switch to a user based key. See the
+         DBI::ProxyServer for an example.
+ 
++        Please note PlRPC encryption does not protect from reply attacks.
++        You should have implement it on the application or the cipher level.
++
+ AUTHOR AND COPYRIGHT
+     The PlRPC-modules are
+ 
+diff --git a/lib/RPC/PlServer.pm b/lib/RPC/PlServer.pm
+index 10b56c9..ce38594 100644
+--- a/lib/RPC/PlServer.pm
++++ b/lib/RPC/PlServer.pm
+@@ -613,6 +613,10 @@ I did my best to avoid security problems, but it is more than likely,
+ that I missed something. Security was a design goal, but not *the*
+ design goal. (A well known problem ...)
+ 
++Due to implementation of PlRPC, it's hard to use internal authentication
++mechanisms properly to achieve secured remote calls. Therefore users are
++advised to use an external authentication mechanism like TLS or IPsec.
++
+ I highly recommend the following design principles:
+ 
+ =head2 Protection against "trusted" users
+@@ -637,6 +641,14 @@ object handle is valid before coercing a method on it.
+ 
+ Think twice, before you give a client access to a method.
+ 
++=item Use of Storable
++
++L<Storable> module used for serialization and deserialization underneath is
++inherently insecure. Deserialized data can contain objects which lead to
++loading foreign modules and executing possible attached destructors. Do not
++accept host-based unauthorized connections. The L<Storable> module is
++exercised before checking user password.
++
+ =item perlsec
+ 
+ And just in case I forgot it: Read the C<perlsec> man page. :-)
+@@ -667,6 +679,9 @@ login phase, where to use a host based key. As soon as the user
+ has authorized, you should switch to a user based key. See the
+ DBI::ProxyServer for an example.
+ 
++Please note PlRPC encryption does not protect from reply attacks. You should
++have implement it on the application or the cipher level.
++
+ =back
+ 
+ =head1 AUTHOR AND COPYRIGHT
+-- 
+1.8.3.1
+