Package: release.debian.org Severity: normal Tags: wheezy User: [email protected] Usertags: pu
Hi Release Team Cc'ing also Moritz Mühlenhoff and the debian-perl list. libplrpc-perl was removed from the archive for unstable[1] as it uses Storable in an unsafe way, leading to a remote code execution vulnerability. The idea is to also drop libplrpc-perl from wheezy and squeeze if possible. As first step toward this goal I propose to drop the dependency from libdbi-perl package. Note: There is no real code change in wheezy to unstable in the corresponding module part, altough in the Debian package itself libplrpc-perl moved from Depends to Suggests following upstream recommentation (in version 1.627-1). [1] https://bugs.debian.org/734789 https://bugs.debian.org/745477 For the debdiff: I removed the dependency (as done for unstable, added a patch to add a Security notice in the Proxy modules, and also removed installation of the dbiproxy script). Does this look safe enough? Regards, Salvatore
diff -Nru libdbi-perl-1.622/debian/changelog libdbi-perl-1.622/debian/changelog --- libdbi-perl-1.622/debian/changelog 2012-06-07 12:46:26.000000000 +0200 +++ libdbi-perl-1.622/debian/changelog 2014-06-13 18:24:52.000000000 +0200 @@ -1,3 +1,15 @@ +libdbi-perl (1.622-1+deb7u1) wheezy; urgency=low + + * Team upload. + * Remove libplrpc-perl from Build-Depends and Depends (Closes: #745427) + * warn users of DBI::Proxy about its unsafe usage of Storable + patch by Petr Písař from + https://rt.cpan.org/Public/Bug/Display.html?id=90475 + * Add dont-install-dbiproxy-script.patch patch. + Don't install dbiproxy script into /usr/bin. + + -- Salvatore Bonaccorso <[email protected]> Tue, 10 Jun 2014 09:05:28 +0200 + libdbi-perl (1.622-1) unstable; urgency=low * New upstream release diff -Nru libdbi-perl-1.622/debian/control libdbi-perl-1.622/debian/control --- libdbi-perl-1.622/debian/control 2012-06-07 12:46:26.000000000 +0200 +++ libdbi-perl-1.622/debian/control 2014-06-13 18:24:52.000000000 +0200 @@ -9,7 +9,6 @@ Nicholas Bamber <[email protected]>, Alessandro Ghedini <[email protected]> Build-Depends: perl, debhelper (>= 9), - libplrpc-perl, libtest-pod-coverage-perl, libtest-pod-perl, perl (>= 5.10.1) | libtest-simple-perl (>= 0.90) @@ -20,7 +19,7 @@ Package: libdbi-perl Architecture: any -Depends: ${misc:Depends}, ${perl:Depends}, ${shlibs:Depends}, libplrpc-perl +Depends: ${misc:Depends}, ${perl:Depends}, ${shlibs:Depends} Provides: perl-dbdabi-${perl-dbdabi-version} Breaks: libdbd-anydata-perl (<< 0.09+), libdbd-csv-perl (<< 0.3000), diff -Nru libdbi-perl-1.622/debian/patches/Security-notice-for-Proxy.patch libdbi-perl-1.622/debian/patches/Security-notice-for-Proxy.patch --- libdbi-perl-1.622/debian/patches/Security-notice-for-Proxy.patch 1970-01-01 01:00:00.000000000 +0100 +++ libdbi-perl-1.622/debian/patches/Security-notice-for-Proxy.patch 2014-06-13 18:24:52.000000000 +0200 @@ -0,0 +1,56 @@ +From cd8fcbbf402e1d70c9f325f8b0fcd99e02cf14be Mon Sep 17 00:00:00 2001 +From: Petr Písař <[email protected]> +Date: Mon, 18 Nov 2013 12:52:09 +0100 +Subject: [PATCH] Security notice for Proxy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=90475 + +PlRPC is not secure due to Storable. Warn Proxy users about it. + +Signed-off-by: Petr Písař <[email protected]> +--- + lib/DBD/Proxy.pm | 7 +++++++ + lib/DBI/ProxyServer.pm | 7 +++++++ + 2 files changed, 14 insertions(+) + +diff --git a/lib/DBD/Proxy.pm b/lib/DBD/Proxy.pm +index 287b2dc..5948255 100644 +--- a/lib/DBD/Proxy.pm ++++ b/lib/DBD/Proxy.pm +@@ -974,6 +974,13 @@ The workaround is storing the modified local copy back to the server: + $dbh->{"csv_tables"} = $tables; + + ++=head1 SECURITY WARNING ++ ++L<RPC::PlClient> used underneath is not secure due to serializing and ++deserializing data with L<Storable> module. Use the proxy driver only in ++trusted environment. ++ ++ + =head1 AUTHOR AND COPYRIGHT + + This module is Copyright (c) 1997, 1998 +diff --git a/lib/DBI/ProxyServer.pm b/lib/DBI/ProxyServer.pm +index 68ad4af..78a0d78 100644 +--- a/lib/DBI/ProxyServer.pm ++++ b/lib/DBI/ProxyServer.pm +@@ -867,6 +867,13 @@ Don't try to put parameters into the sql-query like this: + =back + + ++=head1 SECURITY WARNING ++ ++L<RPC::PlServer> used underneath is not secure due to serializing and ++deserializing data with L<Storable> module. Use the proxy driver only in ++trusted environment. ++ ++ + =head1 AUTHOR + + Copyright (c) 1997 Jochen Wiedmann +-- +1.8.3.1 + diff -Nru libdbi-perl-1.622/debian/patches/dont-install-dbiproxy-script.patch libdbi-perl-1.622/debian/patches/dont-install-dbiproxy-script.patch --- libdbi-perl-1.622/debian/patches/dont-install-dbiproxy-script.patch 1970-01-01 01:00:00.000000000 +0100 +++ libdbi-perl-1.622/debian/patches/dont-install-dbiproxy-script.patch 2014-06-13 18:24:52.000000000 +0200 @@ -0,0 +1,17 @@ +Description: Don't install /usr/bin/dbiproxy +Origin: vendor +Forwarded: no +Author: Salvatore Bonaccorso <[email protected]> +Last-Update: 2014-06-10 + +--- a/Makefile.PL ++++ b/Makefile.PL +@@ -120,7 +120,7 @@ my %opts = ( + 'DBD::PO' => '2.10', + }, + LICENSE => 'perl', +- EXE_FILES => [ "dbiproxy$ext_pl", "dbiprof$ext_pl", "dbilogstrip$ext_pl" ], ++ EXE_FILES => [ "dbiprof$ext_pl", "dbilogstrip$ext_pl" ], + DIR => [ ], + dynamic_lib => { OTHERLDFLAGS => "$::opt_g" }, + clean => { FILES=> "\$(DISTVNAME) Perl.xsi t/zv*_*.t dbi__null_test_tmp*" diff -Nru libdbi-perl-1.622/debian/patches/series libdbi-perl-1.622/debian/patches/series --- libdbi-perl-1.622/debian/patches/series 2012-06-07 12:46:26.000000000 +0200 +++ libdbi-perl-1.622/debian/patches/series 2014-06-13 18:24:52.000000000 +0200 @@ -2,3 +2,5 @@ t__40profile.t__NTP.patch t__80proxy.t___syslogd.patch fix-spelling.patch +Security-notice-for-Proxy.patch +dont-install-dbiproxy-script.patch
