Bug#751527: wheezy-pu: package libdbi-perl/1.622-1+deb7u1
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Hi Release Team
Cc'ing also Moritz Mühlenhoff and the debian-perl list.
libplrpc-perl was removed from the archive for unstable[1] as it uses
Storable in an unsafe way, leading to a remote code execution
vulnerability. The idea is to also drop libplrpc-perl from wheezy and
squeeze if possible.
As first step toward this goal I propose to drop the dependency from
libdbi-perl package. Note: There is no real code change in wheezy to
unstable in the corresponding module part, altough in the Debian
package itself libplrpc-perl moved from Depends to Suggests following
upstream recommentation (in version 1.627-1).
[1] https://bugs.debian.org/734789
https://bugs.debian.org/745477
For the debdiff: I removed the dependency (as done for unstable, added
a patch to add a Security notice in the Proxy modules, and also
removed installation of the dbiproxy script).
Does this look safe enough?
Regards,
Salvatore
diff -Nru libdbi-perl-1.622/debian/changelog libdbi-perl-1.622/debian/changelog
--- libdbi-perl-1.622/debian/changelog 2012-06-07 12:46:26.000000000 +0200
+++ libdbi-perl-1.622/debian/changelog 2014-06-13 18:24:52.000000000 +0200
@@ -1,3 +1,15 @@
+libdbi-perl (1.622-1+deb7u1) wheezy; urgency=low
+
+ * Team upload.
+ * Remove libplrpc-perl from Build-Depends and Depends (Closes: #745427)
+ * warn users of DBI::Proxy about its unsafe usage of Storable
+ patch by Petr Písař from
+ https://rt.cpan.org/Public/Bug/Display.html?id=90475
+ * Add dont-install-dbiproxy-script.patch patch.
+ Don't install dbiproxy script into /usr/bin.
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Tue, 10 Jun 2014 09:05:28 +0200
+
libdbi-perl (1.622-1) unstable; urgency=low
* New upstream release
diff -Nru libdbi-perl-1.622/debian/control libdbi-perl-1.622/debian/control
--- libdbi-perl-1.622/debian/control 2012-06-07 12:46:26.000000000 +0200
+++ libdbi-perl-1.622/debian/control 2014-06-13 18:24:52.000000000 +0200
@@ -9,7 +9,6 @@
Nicholas Bamber <nicholas@periapt.co.uk>,
Alessandro Ghedini <ghedo@debian.org>
Build-Depends: perl, debhelper (>= 9),
- libplrpc-perl,
libtest-pod-coverage-perl,
libtest-pod-perl,
perl (>= 5.10.1) | libtest-simple-perl (>= 0.90)
@@ -20,7 +19,7 @@
Package: libdbi-perl
Architecture: any
-Depends: ${misc:Depends}, ${perl:Depends}, ${shlibs:Depends}, libplrpc-perl
+Depends: ${misc:Depends}, ${perl:Depends}, ${shlibs:Depends}
Provides: perl-dbdabi-${perl-dbdabi-version}
Breaks: libdbd-anydata-perl (<< 0.09+),
libdbd-csv-perl (<< 0.3000),
diff -Nru libdbi-perl-1.622/debian/patches/Security-notice-for-Proxy.patch libdbi-perl-1.622/debian/patches/Security-notice-for-Proxy.patch
--- libdbi-perl-1.622/debian/patches/Security-notice-for-Proxy.patch 1970-01-01 01:00:00.000000000 +0100
+++ libdbi-perl-1.622/debian/patches/Security-notice-for-Proxy.patch 2014-06-13 18:24:52.000000000 +0200
@@ -0,0 +1,56 @@
+From cd8fcbbf402e1d70c9f325f8b0fcd99e02cf14be Mon Sep 17 00:00:00 2001
+From: Petr Písař <ppisar@redhat.com>
+Date: Mon, 18 Nov 2013 12:52:09 +0100
+Subject: [PATCH] Security notice for Proxy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=90475
+
+PlRPC is not secure due to Storable. Warn Proxy users about it.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ lib/DBD/Proxy.pm | 7 +++++++
+ lib/DBI/ProxyServer.pm | 7 +++++++
+ 2 files changed, 14 insertions(+)
+
+diff --git a/lib/DBD/Proxy.pm b/lib/DBD/Proxy.pm
+index 287b2dc..5948255 100644
+--- a/lib/DBD/Proxy.pm
++++ b/lib/DBD/Proxy.pm
+@@ -974,6 +974,13 @@ The workaround is storing the modified local copy back to the server:
+ $dbh->{"csv_tables"} = $tables;
+
+
++=head1 SECURITY WARNING
++
++L<RPC::PlClient> used underneath is not secure due to serializing and
++deserializing data with L<Storable> module. Use the proxy driver only in
++trusted environment.
++
++
+ =head1 AUTHOR AND COPYRIGHT
+
+ This module is Copyright (c) 1997, 1998
+diff --git a/lib/DBI/ProxyServer.pm b/lib/DBI/ProxyServer.pm
+index 68ad4af..78a0d78 100644
+--- a/lib/DBI/ProxyServer.pm
++++ b/lib/DBI/ProxyServer.pm
+@@ -867,6 +867,13 @@ Don't try to put parameters into the sql-query like this:
+ =back
+
+
++=head1 SECURITY WARNING
++
++L<RPC::PlServer> used underneath is not secure due to serializing and
++deserializing data with L<Storable> module. Use the proxy driver only in
++trusted environment.
++
++
+ =head1 AUTHOR
+
+ Copyright (c) 1997 Jochen Wiedmann
+--
+1.8.3.1
+
diff -Nru libdbi-perl-1.622/debian/patches/dont-install-dbiproxy-script.patch libdbi-perl-1.622/debian/patches/dont-install-dbiproxy-script.patch
--- libdbi-perl-1.622/debian/patches/dont-install-dbiproxy-script.patch 1970-01-01 01:00:00.000000000 +0100
+++ libdbi-perl-1.622/debian/patches/dont-install-dbiproxy-script.patch 2014-06-13 18:24:52.000000000 +0200
@@ -0,0 +1,17 @@
+Description: Don't install /usr/bin/dbiproxy
+Origin: vendor
+Forwarded: no
+Author: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2014-06-10
+
+--- a/Makefile.PL
++++ b/Makefile.PL
+@@ -120,7 +120,7 @@ my %opts = (
+ 'DBD::PO' => '2.10',
+ },
+ LICENSE => 'perl',
+- EXE_FILES => [ "dbiproxy$ext_pl", "dbiprof$ext_pl", "dbilogstrip$ext_pl" ],
++ EXE_FILES => [ "dbiprof$ext_pl", "dbilogstrip$ext_pl" ],
+ DIR => [ ],
+ dynamic_lib => { OTHERLDFLAGS => "$::opt_g" },
+ clean => { FILES=> "\$(DISTVNAME) Perl.xsi t/zv*_*.t dbi__null_test_tmp*"
diff -Nru libdbi-perl-1.622/debian/patches/series libdbi-perl-1.622/debian/patches/series
--- libdbi-perl-1.622/debian/patches/series 2012-06-07 12:46:26.000000000 +0200
+++ libdbi-perl-1.622/debian/patches/series 2014-06-13 18:24:52.000000000 +0200
@@ -2,3 +2,5 @@
t__40profile.t__NTP.patch
t__80proxy.t___syslogd.patch
fix-spelling.patch
+Security-notice-for-Proxy.patch
+dont-install-dbiproxy-script.patch
Reply to: