Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 9 Jan 2014 13:39:39 -0500 (EST)
From: cve-assign@...re.org
To: fweimer@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: PlRPC Perl module: pre-auth remote code execution, weak crypto

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> it uses Storable, which is known to be insecure when deserializing
> (thawing) untrusted data.  User name and password are transmitted using
> Storable, so code execution can happen before authentication.

Use CVE-2013-7284 for this code-execution issue.


> The cryptographic hook built into PlRPC is limited ...
> It's not really PlRPC's fault

At this point, we will postpone deciding on the number of CVE IDs
needed for cryptographic issues in PlRPC, pending a possible upstream
response that might clarify whether the product had been specifically
trying to achieve the associated cryptographic goals.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSzux7AAoJEKllVAevmvmsEggIAKdQdJ8bkiEhPfzE4O92TPUt
Ul6X21WCn+n6+OYowFYiN30bb/wuYjB9suMcfk7S1JJZAH4F2Cv8jZNvgUT3ca5E
Ekgdoy3Rl2O4o6nsF2oi+vdqRg7nRSkrgNud4aqNM4HCuWLbCr+5rMIpF4M/Z8Ai
XOHZguxtujuEhFkkTLsskBqYZEM7qoZZQdV/JhXdb/+uyd5kTIACRAc5BDnZcIaV
kRfb6/I+jMXCY4H6S7Cv39Uw2h+zCS75KCr1NGILQp0HKaz1MfILO2vvejogIudB
ZKBULvtDlWDiIq+l5zatbhUdNW8yt3CK1mmToTuDJBpEhet8bc3Gx+UqIG//Yy4=
=Ood1
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ