Package: release.debian.org Severity: normal Tags: squeeze User: release.debian....@packages.debian.org Usertags: pu
Hi release team This is the corresponding proposed update for libdbi-perl as for wheezy, see [1], in case I'm still in time for squeeze-pu. Attached is proposed debdiff for squeeze. libplrpc-perl was removed from the archive for unstable[1] as it uses Storable in an unsafe way, leading to a remote code execution vulnerability. The idea is to also drop libplrpc-perl from squeeze. As first step again the dependency needs to be removed from libdbi-perl. [1] https://bugs.debian.org/751527 Thanks for considering, Regards, Salvatore
diff -Nru libdbi-perl-1.612/debian/changelog libdbi-perl-1.612/debian/changelog --- libdbi-perl-1.612/debian/changelog 2010-07-18 20:02:53.000000000 +0200 +++ libdbi-perl-1.612/debian/changelog 2014-07-14 22:02:32.000000000 +0200 @@ -1,3 +1,15 @@ +libdbi-perl (1.612-1+deb6u1) squeeze; urgency=low + + * Team upload. + * Remove libplrpc-perl from Build-Depends and Depends (Closes: #745427) + * warn users of DBI::Proxy about its unsafe usage of Storable + patch by Petr Písař from + https://rt.cpan.org/Public/Bug/Display.html?id=90475 + * Add dont-install-dbiproxy-script.patch patch. + Don't install dbiproxy script into /usr/bin. + + -- Salvatore Bonaccorso <car...@debian.org> Mon, 14 Jul 2014 21:59:37 +0200 + libdbi-perl (1.612-1) unstable; urgency=low * New upstream release. diff -Nru libdbi-perl-1.612/debian/control libdbi-perl-1.612/debian/control --- libdbi-perl-1.612/debian/control 2010-07-18 20:02:53.000000000 +0200 +++ libdbi-perl-1.612/debian/control 2014-07-14 22:02:32.000000000 +0200 @@ -7,7 +7,7 @@ gregor herrmann <gre...@debian.org>, Ryan Niebur <r...@debian.org>, Jonathan Yu <jaw...@cpan.org>, Ansgar Burchardt <ans...@43-1.org> Build-Depends: perl, debhelper (>= 7.0.50~), - libplrpc-perl, libtest-pod-perl, libtest-pod-coverage-perl, + libtest-pod-perl, libtest-pod-coverage-perl, perl (>= 5.10.1) | libtest-simple-perl (>= 0.90) Standards-Version: 3.9.0 Homepage: http://dbi.perl.org/ @@ -16,7 +16,7 @@ Package: libdbi-perl Architecture: any -Depends: ${misc:Depends}, ${perl:Depends}, ${shlibs:Depends}, libplrpc-perl +Depends: ${misc:Depends}, ${perl:Depends}, ${shlibs:Depends} Provides: perl-dbdabi-${perl-dbdabi-version} Breaks: libdbd-anydata-perl (<< 0.09+), libdbd-csv-perl (<< 0.3000), diff -Nru libdbi-perl-1.612/debian/patches/Security-notice-for-Proxy.patch libdbi-perl-1.612/debian/patches/Security-notice-for-Proxy.patch --- libdbi-perl-1.612/debian/patches/Security-notice-for-Proxy.patch 1970-01-01 01:00:00.000000000 +0100 +++ libdbi-perl-1.612/debian/patches/Security-notice-for-Proxy.patch 2014-07-14 22:02:32.000000000 +0200 @@ -0,0 +1,56 @@ +From cd8fcbbf402e1d70c9f325f8b0fcd99e02cf14be Mon Sep 17 00:00:00 2001 +From: Petr Písař <ppi...@redhat.com> +Date: Mon, 18 Nov 2013 12:52:09 +0100 +Subject: [PATCH] Security notice for Proxy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=90475 + +PlRPC is not secure due to Storable. Warn Proxy users about it. + +Signed-off-by: Petr Písař <ppi...@redhat.com> +--- + lib/DBD/Proxy.pm | 7 +++++++ + lib/DBI/ProxyServer.pm | 7 +++++++ + 2 files changed, 14 insertions(+) + +diff --git a/lib/DBD/Proxy.pm b/lib/DBD/Proxy.pm +index 287b2dc..5948255 100644 +--- a/lib/DBD/Proxy.pm ++++ b/lib/DBD/Proxy.pm +@@ -974,6 +974,13 @@ The workaround is storing the modified local copy back to the server: + $dbh->{"csv_tables"} = $tables; + + ++=head1 SECURITY WARNING ++ ++L<RPC::PlClient> used underneath is not secure due to serializing and ++deserializing data with L<Storable> module. Use the proxy driver only in ++trusted environment. ++ ++ + =head1 AUTHOR AND COPYRIGHT + + This module is Copyright (c) 1997, 1998 +diff --git a/lib/DBI/ProxyServer.pm b/lib/DBI/ProxyServer.pm +index 68ad4af..78a0d78 100644 +--- a/lib/DBI/ProxyServer.pm ++++ b/lib/DBI/ProxyServer.pm +@@ -867,6 +867,13 @@ Don't try to put parameters into the sql-query like this: + =back + + ++=head1 SECURITY WARNING ++ ++L<RPC::PlServer> used underneath is not secure due to serializing and ++deserializing data with L<Storable> module. Use the proxy driver only in ++trusted environment. ++ ++ + =head1 AUTHOR + + Copyright (c) 1997 Jochen Wiedmann +-- +1.8.3.1 + diff -Nru libdbi-perl-1.612/debian/patches/dont-install-dbiproxy-script.patch libdbi-perl-1.612/debian/patches/dont-install-dbiproxy-script.patch --- libdbi-perl-1.612/debian/patches/dont-install-dbiproxy-script.patch 1970-01-01 01:00:00.000000000 +0100 +++ libdbi-perl-1.612/debian/patches/dont-install-dbiproxy-script.patch 2014-07-14 22:02:32.000000000 +0200 @@ -0,0 +1,17 @@ +Description: Don't install /usr/bin/dbiproxy +Origin: vendor +Forwarded: no +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2014-06-10 + +--- a/Makefile.PL ++++ b/Makefile.PL +@@ -120,7 +120,7 @@ my %opts = ( + 'DBD::PO' => '2.10', + }, + LICENSE => 'perl', +- EXE_FILES => [ "dbiproxy$ext_pl", "dbiprof$ext_pl", "dbilogstrip$ext_pl" ], ++ EXE_FILES => [ "dbiprof$ext_pl", "dbilogstrip$ext_pl" ], + DIR => [ ], + dynamic_lib => { OTHERLDFLAGS => "$::opt_g" }, + clean => { FILES=> "\$(DISTVNAME) Perl.xsi t/zv*_*.t dbi__null_test_tmp*" diff -Nru libdbi-perl-1.612/debian/patches/series libdbi-perl-1.612/debian/patches/series --- libdbi-perl-1.612/debian/patches/series 2010-04-08 23:34:35.000000000 +0200 +++ libdbi-perl-1.612/debian/patches/series 2014-07-14 22:02:32.000000000 +0200 @@ -2,3 +2,5 @@ t__40profile.t__NTP.patch t__80proxy.t___syslogd.patch spelling.patch +Security-notice-for-Proxy.patch +dont-install-dbiproxy-script.patch
