From 4f2d7949f03e1c198bc888f2d05f421d35c57e21 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Mon, 9 Oct 2017 18:53:29 +0100 Subject: reinit the tree, so we can have metadata --- dev-perl/PlRPC/Manifest | 7 ++ dev-perl/PlRPC/PlRPC-0.202.0-r2.ebuild | 30 ++++++ ...urity-notice-on-Storable-and-reply-attack.patch | 105 +++++++++++++++++++++ dev-perl/PlRPC/files/perldoc-remove.patch | 10 ++ dev-perl/PlRPC/metadata.xml | 18 ++++ 5 files changed, 170 insertions(+) create mode 100644 dev-perl/PlRPC/Manifest create mode 100644 dev-perl/PlRPC/PlRPC-0.202.0-r2.ebuild create mode 100644 dev-perl/PlRPC/files/Security-notice-on-Storable-and-reply-attack.patch create mode 100644 dev-perl/PlRPC/files/perldoc-remove.patch create mode 100644 dev-perl/PlRPC/metadata.xml (limited to 'dev-perl/PlRPC') diff --git a/dev-perl/PlRPC/Manifest b/dev-perl/PlRPC/Manifest new file mode 100644 index 000000000000..6f26eff64f4b --- /dev/null +++ b/dev-perl/PlRPC/Manifest @@ -0,0 +1,7 @@ +AUX Security-notice-on-Storable-and-reply-attack.patch 3844 SHA256 8b5688a6e65dc42cff3194be92e80b37d34322b20995a0daf6f4978ad6f46ad0 SHA512 21b3db796b34d994d4d967fc69af680f6d5281001829145aa7765b7ef9324cfd021f277358aabb820ef1496d0b8ffe0611fcfa0bf697709b4defd0843837e398 WHIRLPOOL 1125dc3ad9983a3f21cec95999de7ca3e07099724711878eaa1b43c671cff1f77f69abea6d4abbeb20645ade153729612f39fdac10682432e5e265a13002ca6c +AUX perldoc-remove.patch 258 SHA256 5947de78f719430a4aeb627b00af873db14a5eea4ee7588d1c84c43f5307771e SHA512 e2fdf9d64b6e8a76eedbbb2eb7677538d3bae0d3eb077ce4f12e8689f39622417532dc51525d9892cb8a990015b01b098df11e8fbb492755f0ba64d26d025ccf WHIRLPOOL 4516781e004a9da9ef8d0de60dcb0120192587efa5ff6d31bfe021412f6045936b9413ff494a2d3d230a9f47eb6536a2f1b2da08addaf5e98dd29cab7f909878 +DIST PlRPC-0.2020.tar.gz 18229 SHA256 606b367cc52ea8ab2e93404ddd50ccb65e6e5c42ebd6cf4def71f4edf684506f SHA512 2c79c5c27bce7027561f1968023ae4307778f291caa9291fee779537d047a35bb4bd5928fe2b343a2b09dbdcf6450239d79c6898018ea880619a7c69a1498a86 WHIRLPOOL e53cbca963e9ce3611e663905442855195d341c645e9b095300875803ba98c10741dd21810c5db0d64f59c52c5c4e0ecd789459f940c8ef9f7762cfd98350160 +EBUILD PlRPC-0.202.0-r2.ebuild 845 SHA256 3615c4c933599916509c45da9660871db0f01317ef8217c320dace20af32d664 SHA512 f12d491dfe52f9d3bb82ef18519dfcfb6cb6b92eea2f25e8d0039431b2d81538102b5bf6ef0dd6d71ac09032eacce53fd0636337d5abbf650f393051cfbcb023 WHIRLPOOL 71cc07720f7f9d2bbfa3b3c4ad99e23a68e21f339c384cca3b7d8b68d7bd69fa08f11ad2f4fc4f1239d082a3f64938fcacd84a279ec81dbccadd9d4e9973114e +MISC ChangeLog 2849 SHA256 a134060bd656032f1f1a1fdb85008553d40c6d4cac56bbcf9eb0f34ad5632608 SHA512 d2b0b784f1ef8ad2a92865ae2841cb1eeb56ae9f858a24ff98cfa34494fef12aac5cc0cca84e8058d9a1cafdba0d6bf17f3e3aea1868d3deb80f335b075161e0 WHIRLPOOL f842c6220bde572a61b69683eb8c8203093372a827843bcb558a8f088efc99105802fe1a0c7d69a4d4231aa355e5d7e97678e185dc036219f9fea70ff0608290 +MISC ChangeLog-2015 8770 SHA256 45d16733d9507a1f1f618f49ce5a9937a66c5df16d2003a58213a626dc03de0f SHA512 d59e7b436adb1183755b5d933d9160c66bbbebd6f5bf52cdda51ab5724e78f9dde6ca5945c271ef360088954fdab45c8a0b95ab04161d7a4dd9edd8035dc3525 WHIRLPOOL f2ee48ac08fefb4e63b915c79115ebe4305e57d0c50779093b1dafb44e8eabffdb4a0006f32455131f7319fb57d9d9836941edc22936fba6d894e4eeebce1eab +MISC metadata.xml 775 SHA256 2f7aa212de595c407799ab373b158f026e5f3a435e360b14dadde89bec2c1d06 SHA512 bbaa42d69e787c17cb1bd20bd9db9504377a89c426d6173659e2637df7efe8744dcb37641cc0ebe3041199b221beacd049cda5eb2628fdd6196b8a93c462d583 WHIRLPOOL 52018dcded2287eacddf2d765ff80ff05a34e0b70cf1fa3eea1ca937b924cef6bbdd89f74179078e265791189bc876fc0d5649587722a9e5f9349d051ee5317f diff --git a/dev-perl/PlRPC/PlRPC-0.202.0-r2.ebuild b/dev-perl/PlRPC/PlRPC-0.202.0-r2.ebuild new file mode 100644 index 000000000000..cf10c0169d48 --- /dev/null +++ b/dev-perl/PlRPC/PlRPC-0.202.0-r2.ebuild @@ -0,0 +1,30 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=5 + +MODULE_AUTHOR=MNOONING +MODULE_SECTION=${PN} +MODULE_VERSION=0.2020 +inherit perl-module + +S=${WORKDIR}/${PN} + +DESCRIPTION="The Perl RPC Module" + +SLOT="0" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="" + +RDEPEND=">=virtual/perl-Storable-1.0.7 + >=dev-perl/Net-Daemon-0.34" +DEPEND="${RDEPEND}" + +PATCHES=( "${FILESDIR}/perldoc-remove.patch" + "${FILESDIR}/Security-notice-on-Storable-and-reply-attack.patch" ) + +src_test() { + PERL_DL_NONLAZY=1 /usr/bin/perl \ + "-MExtUtils::Command::MM" \ + "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t +} diff --git a/dev-perl/PlRPC/files/Security-notice-on-Storable-and-reply-attack.patch b/dev-perl/PlRPC/files/Security-notice-on-Storable-and-reply-attack.patch new file mode 100644 index 000000000000..877e7bc816dc --- /dev/null +++ b/dev-perl/PlRPC/files/Security-notice-on-Storable-and-reply-attack.patch @@ -0,0 +1,105 @@ +From 29f5ad4805a04e4c4fd18795f7153798c80a46ce Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 18 Nov 2013 12:20:52 +0100 +Subject: [PATCH] Security notice on Storable and reply attack +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Petr Písař +--- + README | 16 ++++++++++++++++ + lib/RPC/PlServer.pm | 15 +++++++++++++++ + 2 files changed, 31 insertions(+) + +diff --git a/README b/README +index 8a68657..48a33e4 100644 +--- a/README ++++ b/README +@@ -204,6 +204,7 @@ EXAMPLE + require RPC::PlServer; + require MD5; + ++ + package MD5_Server; # Clients need to request application + # "MD5_Server" + +@@ -245,6 +246,10 @@ SECURITY + that I missed something. Security was a design goal, but not *the* + design goal. (A well known problem ...) + ++ Due to implementation of PlRPC, it's hard to use internal authentication ++ mechanisms properly to achieve secured remote calls. Therefore users are ++ advised to use an external authentication mechanism like TLS or IPsec. ++ + I highly recommend the following design principles: + + Protection against "trusted" users +@@ -263,6 +268,14 @@ SECURITY + Be restrictive + Think twice, before you give a client access to a method. + ++ Use of Storable ++ Storable module used for serialization and deserialization ++ underneath is inherently insecure. Deserialized data can contain ++ objects which lead to loading foreign modules and executing possible ++ attached destructors. Do not accept host-based unauthorized ++ connections. The Storable module is exercised before checking user ++ password. ++ + perlsec + And just in case I forgot it: Read the "perlsec" man page. :-) + +@@ -283,6 +296,9 @@ SECURITY + authorized, you should switch to a user based key. See the + DBI::ProxyServer for an example. + ++ Please note PlRPC encryption does not protect from reply attacks. ++ You should have implement it on the application or the cipher level. ++ + AUTHOR AND COPYRIGHT + The PlRPC-modules are + +diff --git a/lib/RPC/PlServer.pm b/lib/RPC/PlServer.pm +index 10b56c9..ce38594 100644 +--- a/lib/RPC/PlServer.pm ++++ b/lib/RPC/PlServer.pm +@@ -613,6 +613,10 @@ I did my best to avoid security problems, but it is more than likely, + that I missed something. Security was a design goal, but not *the* + design goal. (A well known problem ...) + ++Due to implementation of PlRPC, it's hard to use internal authentication ++mechanisms properly to achieve secured remote calls. Therefore users are ++advised to use an external authentication mechanism like TLS or IPsec. ++ + I highly recommend the following design principles: + + =head2 Protection against "trusted" users +@@ -637,6 +641,14 @@ object handle is valid before coercing a method on it. + + Think twice, before you give a client access to a method. + ++=item Use of Storable ++ ++L module used for serialization and deserialization underneath is ++inherently insecure. Deserialized data can contain objects which lead to ++loading foreign modules and executing possible attached destructors. Do not ++accept host-based unauthorized connections. The L module is ++exercised before checking user password. ++ + =item perlsec + + And just in case I forgot it: Read the C man page. :-) +@@ -667,6 +679,9 @@ login phase, where to use a host based key. As soon as the user + has authorized, you should switch to a user based key. See the + DBI::ProxyServer for an example. + ++Please note PlRPC encryption does not protect from reply attacks. You should ++have implement it on the application or the cipher level. ++ + =back + + =head1 AUTHOR AND COPYRIGHT +-- +1.8.3.1 + diff --git a/dev-perl/PlRPC/files/perldoc-remove.patch b/dev-perl/PlRPC/files/perldoc-remove.patch new file mode 100644 index 000000000000..0b8fbe14bbe1 --- /dev/null +++ b/dev-perl/PlRPC/files/perldoc-remove.patch @@ -0,0 +1,10 @@ +--- Makefile.PL.old 2007-06-25 11:58:33.000000000 -0400 ++++ Makefile.PL 2007-06-25 11:58:37.000000000 -0400 +@@ -86,7 +86,6 @@ sub postamble { + pm_to_blib: README + + README: lib/RPC/PlServer.pm +-\tperldoc -t lib/RPC/PlServer.pm >README + + END_OF_POSTAMBLE + } diff --git a/dev-perl/PlRPC/metadata.xml b/dev-perl/PlRPC/metadata.xml new file mode 100644 index 000000000000..0642a8afe5ac --- /dev/null +++ b/dev-perl/PlRPC/metadata.xml @@ -0,0 +1,18 @@ + + + + + perl@gentoo.org + Gentoo Perl Project + + + PlRPC + Bundle::PlRPC + RPC::PlClient + RPC::PlClient::Comm + RPC::PlClient::Object + RPC::PlServer + RPC::PlServer::Comm + RPC::PlServer::Test + + -- cgit v1.2.3