mailing list archives
Re: CVE request: perl-modules
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 11 Dec 2012 11:09:40 -0700
-----BEGIN PGP SIGNED MESSAGE-----
On 12/11/2012 09:56 AM, Jamie Strandboge wrote:
Debian recently fixed the following security bug:
"Locale::Maketext is a core l10n library that expands templates
found in strings.
Two problems were found, reported, and patched-for by Brian Carlson
of cPanel, and these fixes are now in blead and on the CPAN.
The commit in question is
The flaws are:
* in a [method,x,y,z] template, the method could be a
fully-qualified name * template expansion did not properly quote
metacharacters, allowing code injection through a malicious
Please upgrade your Locale::Maketext, especially if you allow
One of our guys has had a chance to look into this:
Petr Pisar 2012-12-06 10:08:20 EST
Created attachment 658787 [details]
Template for reproducer
Could show the attack vector? Attached is small code showing how to
use Locale::Maketext. Please modify it to explain the vulnerability.
I think the vulnerability is effective only when attacker has first
argument of maketext() under control.
However that means the attacker can run any code even without this
`vulnerability'. It's like saying glibc's gettext() is vulnerable. But
that's not true.
Sure gettext("%s", user_input) is not safe, but this is flaw in the
caller, not in the gettext. The same applies to
Petr Pisar 2012-12-06 11:18:46 EST
And actually the patch breaks behaviour because it forbids
cross-package calls which were explicitly allowed and documented
before. I disbelieve the patch is good candidate for stable distributions.
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----