GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Thu Mar 27, 2014 11:26 am Post subject: [ GLSA 201403-08 ] PlRPC: Arbitrary code execution |
|
|
Gentoo Linux Security Advisory
Title: PlRPC: Arbitrary code execution (GLSA 201403-08)
Severity: normal
Exploitable: remote
Date: March 27, 2014
Bug(s): #497692
ID: 201403-08
Synopsis
PlRPC uses Storable which allows for code execution prior to
Authentication
Background
The Perl RPC Module is a Perl module that implements IDL-free RPCs.
Affected Packages
Package: dev-perl/PlRPC
Vulnerable: < 0.202.0-r2
Unaffected: >= 0.202.0-r2
Architectures: All supported architectures
Description
PlRPC uses Storable module for serialization and deserialization of
untrusted data. Deserialized data can contain objects which can lead to
loading of foreign modules, and possible execution of arbitrary code.
Impact
A remote attacker could possibly execute
arbitrary code with the privileges of the process, or cause a Denial of
Service condition.
Workaround
External authentication mechanism can be used with PlRPC such as TLS or
IPSEC.
Resolution
All PlRPC users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-perl/PlRPC-0.202.0-r2"
|
References
CVE-2013-7284 |
|