diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f455ba3 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/PlRPC-0.2020.tar.gz diff --git a/.perl-PlRPC.metadata b/.perl-PlRPC.metadata new file mode 100644 index 0000000..14109a0 --- /dev/null +++ b/.perl-PlRPC.metadata @@ -0,0 +1 @@ +2a1dd4f650764f6cfc654e528a579293422073c0 SOURCES/PlRPC-0.2020.tar.gz diff --git a/SOURCES/perl-PlRPC-0.2020-Do-not-use-syslog.patch b/SOURCES/perl-PlRPC-0.2020-Do-not-use-syslog.patch new file mode 100644 index 0000000..cf11c57 --- /dev/null +++ b/SOURCES/perl-PlRPC-0.2020-Do-not-use-syslog.patch @@ -0,0 +1,52 @@ +From acb5f1175c617f0be89f23648a0f3e0a4394230a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Fri, 27 Jan 2012 11:06:08 +0100 +Subject: [PATCH] Do not use syslog + +--- + t/client.t | 2 +- + t/lib.pl | 1 + + t/server | 2 +- + 3 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/t/client.t b/t/client.t +index a283f2d..e19231d 100644 +--- a/t/client.t ++++ b/t/client.t +@@ -30,7 +30,7 @@ my @opts = ('peeraddr' => '127.0.0.1', 'peerport' => $port, 'debug' => 1, + my $client; + + # Making a first connection and closing it immediately +-Test(eval { RPC::PlClient->new(@opts) }) ++Test(eval { RPC::PlClient->new(@opts, 'logfile' => 1) }) + or print "Failed to make first connection: $@\n"; + + RunTests(@opts); +diff --git a/t/lib.pl b/t/lib.pl +index bc61b2c..559b899 100644 +--- a/t/lib.pl ++++ b/t/lib.pl +@@ -18,6 +18,7 @@ sub RunTests (@) { + shift; + $key = shift; + } ++ push @_, 'logfile', 1; + + # Making a new connection + Test($client = eval { RPC::PlClient->new(@_) }) +diff --git a/t/server b/t/server +index 46dcf97..c44f10a 100644 +--- a/t/server ++++ b/t/server +@@ -74,7 +74,7 @@ sub Version ($) { + + package main; + +-my $server = CalcServer->new({'pidfile' => 'none'}, \@ARGV); ++my $server = CalcServer->new({'pidfile' => 'none', 'logfile' => 1}, \@ARGV); + + $server->Bind(); + +-- +1.7.7.6 + diff --git a/SOURCES/perl-PlRPC-0.2020-Security-notice-on-Storable-and-reply-attack.patch b/SOURCES/perl-PlRPC-0.2020-Security-notice-on-Storable-and-reply-attack.patch new file mode 100644 index 0000000..877e7bc --- /dev/null +++ b/SOURCES/perl-PlRPC-0.2020-Security-notice-on-Storable-and-reply-attack.patch @@ -0,0 +1,105 @@ +From 29f5ad4805a04e4c4fd18795f7153798c80a46ce Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 18 Nov 2013 12:20:52 +0100 +Subject: [PATCH] Security notice on Storable and reply attack +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Petr Písař +--- + README | 16 ++++++++++++++++ + lib/RPC/PlServer.pm | 15 +++++++++++++++ + 2 files changed, 31 insertions(+) + +diff --git a/README b/README +index 8a68657..48a33e4 100644 +--- a/README ++++ b/README +@@ -204,6 +204,7 @@ EXAMPLE + require RPC::PlServer; + require MD5; + ++ + package MD5_Server; # Clients need to request application + # "MD5_Server" + +@@ -245,6 +246,10 @@ SECURITY + that I missed something. Security was a design goal, but not *the* + design goal. (A well known problem ...) + ++ Due to implementation of PlRPC, it's hard to use internal authentication ++ mechanisms properly to achieve secured remote calls. Therefore users are ++ advised to use an external authentication mechanism like TLS or IPsec. ++ + I highly recommend the following design principles: + + Protection against "trusted" users +@@ -263,6 +268,14 @@ SECURITY + Be restrictive + Think twice, before you give a client access to a method. + ++ Use of Storable ++ Storable module used for serialization and deserialization ++ underneath is inherently insecure. Deserialized data can contain ++ objects which lead to loading foreign modules and executing possible ++ attached destructors. Do not accept host-based unauthorized ++ connections. The Storable module is exercised before checking user ++ password. ++ + perlsec + And just in case I forgot it: Read the "perlsec" man page. :-) + +@@ -283,6 +296,9 @@ SECURITY + authorized, you should switch to a user based key. See the + DBI::ProxyServer for an example. + ++ Please note PlRPC encryption does not protect from reply attacks. ++ You should have implement it on the application or the cipher level. ++ + AUTHOR AND COPYRIGHT + The PlRPC-modules are + +diff --git a/lib/RPC/PlServer.pm b/lib/RPC/PlServer.pm +index 10b56c9..ce38594 100644 +--- a/lib/RPC/PlServer.pm ++++ b/lib/RPC/PlServer.pm +@@ -613,6 +613,10 @@ I did my best to avoid security problems, but it is more than likely, + that I missed something. Security was a design goal, but not *the* + design goal. (A well known problem ...) + ++Due to implementation of PlRPC, it's hard to use internal authentication ++mechanisms properly to achieve secured remote calls. Therefore users are ++advised to use an external authentication mechanism like TLS or IPsec. ++ + I highly recommend the following design principles: + + =head2 Protection against "trusted" users +@@ -637,6 +641,14 @@ object handle is valid before coercing a method on it. + + Think twice, before you give a client access to a method. + ++=item Use of Storable ++ ++L module used for serialization and deserialization underneath is ++inherently insecure. Deserialized data can contain objects which lead to ++loading foreign modules and executing possible attached destructors. Do not ++accept host-based unauthorized connections. The L module is ++exercised before checking user password. ++ + =item perlsec + + And just in case I forgot it: Read the C man page. :-) +@@ -667,6 +679,9 @@ login phase, where to use a host based key. As soon as the user + has authorized, you should switch to a user based key. See the + DBI::ProxyServer for an example. + ++Please note PlRPC encryption does not protect from reply attacks. You should ++have implement it on the application or the cipher level. ++ + =back + + =head1 AUTHOR AND COPYRIGHT +-- +1.8.3.1 + diff --git a/SPECS/perl-PlRPC.spec b/SPECS/perl-PlRPC.spec new file mode 100644 index 0000000..4a4516a --- /dev/null +++ b/SPECS/perl-PlRPC.spec @@ -0,0 +1,110 @@ +Name: perl-PlRPC +Version: 0.2020 +Release: 14%{?dist} +License: GPL+ or Artistic +Group: Development/Libraries +Summary: Interface for writing PlRPC clients and servers +Url: http://search.cpan.org/dist/PlRPC +Source: http://search.cpan.org/CPAN/authors/id/M/MN/MNOONING/PlRPC/PlRPC-%{version}.tar.gz +# See +Patch0: %{name}-0.2020-Do-not-use-syslog.patch +# Document the Storable and encryption is not secure, bug #1030572, +# CPAN RT#90474 +Patch1: %{name}-0.2020-Security-notice-on-Storable-and-reply-attack.patch +BuildArch: noarch +BuildRequires: perl(ExtUtils::MakeMaker) +# perldoc utility is called from Makefile +BuildRequires: perl-Pod-Perldoc +# Run-time +BuildRequires: perl(Compress::Zlib) +BuildRequires: perl(IO::Socket) +BuildRequires: perl(Net::Daemon) >= 0.13 +BuildRequires: perl(Net::Daemon::Log) +BuildRequires: perl(Net::Daemon::Test) +BuildRequires: perl(Storable) +# Optionable tests +BuildRequires: perl(Crypt::DES) +Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) +# Compress::Zlib is needed for optional compression +Requires: perl(Compress::Zlib) +Requires: perl(Net::Daemon) >= 0.13 + +# Remove undespecified dependencies +%global __requires_exclude %{?__requires_exclude|%__requires_exclude|}^perl\\(Net::Daemon\\)$ + +%description +PlRPC (Perl RPC) is a package that simplifies the writing of Perl based +client/server applications. RPC::PlServer is the package used on the +server side, and you guess what RPC::PlClient is for. PlRPC works by +defining a set of methods that may be executed by the client. + +%prep +%setup -q -n PlRPC +%patch0 -p1 +%patch1 -p1 + +%build +%{__perl} Makefile.PL INSTALLDIRS=vendor +make %{?_smp_mflags} + +%install +make pure_install DESTDIR=%{buildroot} +find %{buildroot} -type f -name .packlist -exec rm -f {} ';' +%{_fixperms} %{buildroot}/* + +%check +make test + +%files +%doc ChangeLog README +%{perl_vendorlib}/* +%{_mandir}/man3/*.3* + +%changelog +* Fri Dec 27 2013 Daniel Mach - 0.2020-14 +- Mass rebuild 2013-12-27 + +* Tue Nov 26 2013 Petr Pisar - 0.2020-13 +- Document the Storable and encryption is not secure (bug #1030572) + +* Wed Oct 24 2012 Petr Pisar - 0.2020-12 +- Modernize spec file + +* Fri Jul 20 2012 Fedora Release Engineering - 0.2020-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue Jun 12 2012 Petr Pisar - 0.2020-10 +- Perl 5.16 rebuild + +* Thu Jan 26 2012 Petr Pisar - 0.2020-9 +- Modernize spec file +- Enable tests + +* Fri Jan 13 2012 Fedora Release Engineering - 0.2020-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Jun 20 2011 Marcela Mašláňová - 0.2020-7 +- Perl mass rebuild + +* Tue Feb 08 2011 Fedora Release Engineering - 0.2020-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Dec 21 2010 Marcela Maslanova - 0.2020-5 +- 661697 rebuild for fixing problems with vendorach/lib + +* Tue May 04 2010 Marcela Maslanova - 0.2020-4 +- Mass rebuild with perl-5.12.0 + +* Mon Dec 7 2009 Stepan Kasal - 0.2020-3 +- rebuild against perl 5.10.1 + +* Sun Jul 26 2009 Fedora Release Engineering - 0.2020-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Apr 01 2009 Chris Weyl 0.2020-1 +- submission + +* Thu Mar 19 2009 Chris Weyl 0.2020-0 +- initial RPM packaging +- generated with cpan2dist (CPANPLUS::Dist::RPM version 0.0.8) +