oss-sec: Re: CVE request: perl-modules

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/11/2012 09:56 AM, Jamie Strandboge wrote:
> Debian recently fixed the following security bug: 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224
>
> "Locale::Maketext is a core l10n library that expands templates
> found in strings.
>
> Two problems were found, reported, and patched-for by Brian Carlson
> of cPanel, and these fixes are now in blead and on the CPAN.
>
> The commit in question is 
> http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8
>
>  The flaws are:
>
> * in a [method,x,y,z] template, the method could be a
> fully-qualified name * template expansion did not properly quote
> metacharacters, allowing code injection through a malicious
> template
>
> Please upgrade your Locale::Maketext, especially if you allow
> user-provided templates."
One of our guys has had a chance to look into this:

https://bugzilla.redhat.com/show_bug.cgi?id=884354

Petr Pisar 2012-12-06 10:08:20 EST

Created attachment 658787 [details]
Template for reproducer

Could show the attack vector? Attached is small code showing how to
use Locale::Maketext. Please modify it to explain the vulnerability.

I think the vulnerability is effective only when attacker has first
argument of maketext() under control.

However that means the attacker can run any code even without this
`vulnerability'. It's like saying glibc's gettext() is vulnerable. But
that's not true.

Sure gettext("%s", user_input) is not safe, but this is flaw in the
caller, not in the gettext. The same applies to
Locale::Maketext::maketext().

Petr Pisar 2012-12-06 11:18:46 EST

And actually the patch breaks behaviour because it forbids
cross-package calls which were explicitly allowed and documented
before. I disbelieve the patch is good candidate for stable distributions.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQx3bkAAoJEBYNRVNeJnmTJPMP/3+IY9tuNyQ4aSRLHCaLpqmZ
RREnjXeRouJtgaTqVuBBSwPSxAJ8fXfY1a0aM+euZBWWxAF1tp2EWlClMk5CFjg4
KNOb4f8v4mOuJq/8F2TebGIz+8C7dp7rTpOwadncV38RcbwlXL72QEPdTW2n9t+L
FrycDQhCTx1lo5/oj5Jju7CWnDo2jPGnFHgmdyroqefNpS1muoJM9IeSJPnPANOQ
g/0TXEeC8gehzbpvRrG0NRje+Pf3nMw/9t8JwKj3pDXrB0nVYLBIgMQdUv+sgYXw
AxF4LEa1iKIddl2NwAMHC/lw3w1CoANgb34iqKwm64yIAe88LWfPrHOPHWRRNdgp
5bj44AMsfMXj/iPnw5ArISNZiLSWW33yKP9gKZUcmGtLgEof4bbhwPmnLWGZtYkQ
7EhBl0d+HExgEtoyWMbzJLCXe1EMvIBJji6nnkWpNX1uRIFRRy9171ooQr2mc/mn
EWuDSSV3BNyxjJdLPDvG0zzBC7uWm6fa7TWFGODeWEdIlw4x8gXG3ExcpNNa+P5j
YfC2FiypfhpWQYdl06jExFgNWvthmatM1YrFmQZtuklkxk8MxCOS2wsYSUEUAGor
wK0NMliayfgnApjFJp0DlnYbHU4JdgX3rkAVu4hUQe8pfeo3tkPWiECB5JOXalG3
afN6lI2zn0wV9+UgYpKY
=ITgy
-----END PGP SIGNATURE-----