Re: PlRPC Perl module: pre-auth remote code execution, weak crypto

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> it uses Storable, which is known to be insecure when deserializing
> (thawing) untrusted data.  User name and password are transmitted using
> Storable, so code execution can happen before authentication.

Use CVE-2013-7284 for this code-execution issue.


> The cryptographic hook built into PlRPC is limited ...
> It's not really PlRPC's fault

At this point, we will postpone deciding on the number of CVE IDs
needed for cryptographic issues in PlRPC, pending a possible upstream
response that might clarify whether the product had been specifically
trying to achieve the associated cryptographic goals.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSzux7AAoJEKllVAevmvmsEggIAKdQdJ8bkiEhPfzE4O92TPUt
Ul6X21WCn+n6+OYowFYiN30bb/wuYjB9suMcfk7S1JJZAH4F2Cv8jZNvgUT3ca5E
Ekgdoy3Rl2O4o6nsF2oi+vdqRg7nRSkrgNud4aqNM4HCuWLbCr+5rMIpF4M/Z8Ai
XOHZguxtujuEhFkkTLsskBqYZEM7qoZZQdV/JhXdb/+uyd5kTIACRAc5BDnZcIaV
kRfb6/I+jMXCY4H6S7Cv39Uw2h+zCS75KCr1NGILQp0HKaz1MfILO2vvejogIudB
ZKBULvtDlWDiIq+l5zatbhUdNW8yt3CK1mmToTuDJBpEhet8bc3Gx+UqIG//Yy4=
=Ood1
-----END PGP SIGNATURE-----