Bug 1051106

Summary: perl-PlRPC: weak crypto
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: drieden, mmaslano, nobody+bgollahe, perl-devel, perl-maint-list, pfrields, ppisar, psabata, tdawson, tkramer
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-10 09:35:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1030572, 1051110    
Bug Blocks: 1051112    

Description Ratul Gupta 2014-01-09 17:28:45 UTC 
PlRPC is a Perl module that implements IDL-free RPCs. The cryptographic hook built into PlRPC is limited: there is no MAC, no reply protection, and there's just a symmetric group key shared by all users, which correponds to the weak crypto in PlRPC. There appears to be zero reply protection.  Additionally, compression is enabled unconditionally, which can reveal message contents, especially in conjunction with chosen-ciphertext attacks.

The patches that exist just document the issues and are not real fixes.

References:
http://seclists.org/oss-sec/2014/q1/56
https://rt.cpan.org/Public/Bug/Display.html?id=90474

Commit/Patch:
http://pkgs.fedoraproject.org/cgit/perl-PlRPC.git/commit/?id=b9497b8d780a54ff5be6661c5f24d70135e0bb79
Comment 1 Ratul Gupta 2014-01-09 17:32:01 UTC 
Created perl-PlRPC tracking bugs for this issue:

Affects: fedora-all [bug 1051110]
Comment 2 Vincent Danen 2014-01-09 22:00:02 UTC 
The actual proposed patch to upstream is here:

* https://rt.cpan.org/Public/Ticket/Attachment/1289399/683202/0001-Security-notice-for-Proxy.patch

As per http://seclists.org/oss-sec/2014/q1/62 MITRE has held off assigning any CVEs for this weak crypto issue.
Comment 3 Petr Pisar 2014-01-10 08:27:06 UTC 
(In reply to Vincent Danen from comment #2)
> The actual proposed patch to upstream is here:
> 
> *
> https://rt.cpan.org/Public/Ticket/Attachment/1289399/683202/0001-Security-
> notice-for-Proxy.patch
> 
No. This is wrong patch which should belong to different perl package. Current latter one is the <https://rt.cpan.org/Public/Bug/Display.html?id=90474> is correct one and it'd already applied in perl-PlRPC-0.2020-16.fc21.

I guess applying the patch from Fedora 21 to all Fedoras is sufficient.
Comment 5 Stefan Cornelius 2014-06-10 09:35:30 UTC 
Statement:

The Red Hat Security Response Team has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.