[libdbi-perl] 02/04: warn users of DBI::Proxy about its unsafe usage of Storable

Thu Jun 19 12:14:04 UTC 2014

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to annotated tag debian/1.622-1+deb7u1
in repository libdbi-perl.

commit e7ffab2ebc48d45703cb602bf83ceaa089076071
Author: Damyan Ivanov <dmn at debian.org>
Date:   Mon Apr 21 18:08:12 2014 +0000

    warn users of DBI::Proxy about its unsafe usage of Storable
    
    patch by Petr Písař from
    https://rt.cpan.org/Public/Bug/Display.html?id=90475
---
 debian/patches/Security-notice-for-Proxy.patch | 56 ++++++++++++++++++++++++++
 debian/patches/series                          |  1 +
 2 files changed, 57 insertions(+)

diff --git a/debian/patches/Security-notice-for-Proxy.patch b/debian/patches/Security-notice-for-Proxy.patch
new file mode 100644
index 0000000..53b0294
--- /dev/null
+++ b/debian/patches/Security-notice-for-Proxy.patch
@@ -0,0 +1,56 @@
+From cd8fcbbf402e1d70c9f325f8b0fcd99e02cf14be Mon Sep 17 00:00:00 2001
+From: Petr Písař <ppisar at redhat.com>
+Date: Mon, 18 Nov 2013 12:52:09 +0100
+Subject: [PATCH] Security notice for Proxy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=90475
+
+PlRPC is not secure due to Storable. Warn Proxy users about it.
+
+Signed-off-by: Petr Písař <ppisar at redhat.com>
+---
+ lib/DBD/Proxy.pm       | 7 +++++++
+ lib/DBI/ProxyServer.pm | 7 +++++++
+ 2 files changed, 14 insertions(+)
+
+diff --git a/lib/DBD/Proxy.pm b/lib/DBD/Proxy.pm
+index 287b2dc..5948255 100644
+--- a/lib/DBD/Proxy.pm
++++ b/lib/DBD/Proxy.pm
+@@ -974,6 +974,13 @@ The workaround is storing the modified local copy back to the server:
+   $dbh->{"csv_tables"} = $tables;
+ 
+ 
++=head1 SECURITY WARNING
++
++L<RPC::PlClient> used underneath is not secure due to serializing and
++deserializing data with L<Storable> module. Use the proxy driver only in
++trusted environment.
++
++
+ =head1 AUTHOR AND COPYRIGHT
+ 
+ This module is Copyright (c) 1997, 1998
+diff --git a/lib/DBI/ProxyServer.pm b/lib/DBI/ProxyServer.pm
+index 68ad4af..78a0d78 100644
+--- a/lib/DBI/ProxyServer.pm
++++ b/lib/DBI/ProxyServer.pm
+@@ -867,6 +867,13 @@ Don't try to put parameters into the sql-query like this:
+ =back
+ 
+ 
++=head1 SECURITY WARNING
++
++L<RPC::PlServer> used underneath is not secure due to serializing and
++deserializing data with L<Storable> module. Use the proxy driver only in
++trusted environment.
++
++
+ =head1 AUTHOR
+ 
+     Copyright (c) 1997    Jochen Wiedmann
+-- 
+1.8.3.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 1e834d7..43e9b43 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ t__06attrs.t__localefix.patch
 t__40profile.t__NTP.patch
 t__80proxy.t___syslogd.patch
 fix-spelling.patch
+Security-notice-for-Proxy.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libdbi-perl.git

