Date: Thu, 9 Jan 2014 13:39:39 -0500 (EST) From: cve-assign@...re.org To: fweimer@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: PlRPC Perl module: pre-auth remote code execution, weak crypto -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > it uses Storable, which is known to be insecure when deserializing > (thawing) untrusted data. User name and password are transmitted using > Storable, so code execution can happen before authentication. Use CVE-2013-7284 for this code-execution issue. > The cryptographic hook built into PlRPC is limited ... > It's not really PlRPC's fault At this point, we will postpone deciding on the number of CVE IDs needed for cryptographic issues in PlRPC, pending a possible upstream response that might clarify whether the product had been specifically trying to achieve the associated cryptographic goals. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSzux7AAoJEKllVAevmvmsEggIAKdQdJ8bkiEhPfzE4O92TPUt Ul6X21WCn+n6+OYowFYiN30bb/wuYjB9suMcfk7S1JJZAH4F2Cv8jZNvgUT3ca5E Ekgdoy3Rl2O4o6nsF2oi+vdqRg7nRSkrgNud4aqNM4HCuWLbCr+5rMIpF4M/Z8Ai XOHZguxtujuEhFkkTLsskBqYZEM7qoZZQdV/JhXdb/+uyd5kTIACRAc5BDnZcIaV kRfb6/I+jMXCY4H6S7Cv39Uw2h+zCS75KCr1NGILQp0HKaz1MfILO2vvejogIudB ZKBULvtDlWDiIq+l5zatbhUdNW8yt3CK1mmToTuDJBpEhet8bc3Gx+UqIG//Yy4= =Ood1 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ