oss-sec mailing list archives
Re: CVE request: perl-modules
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 11 Dec 2012 11:09:40 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/11/2012 09:56 AM, Jamie Strandboge wrote:
Debian recently fixed the following security bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224 "Locale::Maketext is a core l10n library that expands templates found in strings. Two problems were found, reported, and patched-for by Brian Carlson of cPanel, and these fixes are now in blead and on the CPAN. The commit in question is http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8 The flaws are: * in a [method,x,y,z] template, the method could be a fully-qualified name * template expansion did not properly quote metacharacters, allowing code injection through a malicious template Please upgrade your Locale::Maketext, especially if you allow user-provided templates."
One of our guys has had a chance to look into this: https://bugzilla.redhat.com/show_bug.cgi?id=884354 Petr Pisar 2012-12-06 10:08:20 EST Created attachment 658787 [details] Template for reproducer Could show the attack vector? Attached is small code showing how to use Locale::Maketext. Please modify it to explain the vulnerability. I think the vulnerability is effective only when attacker has first argument of maketext() under control. However that means the attacker can run any code even without this `vulnerability'. It's like saying glibc's gettext() is vulnerable. But that's not true. Sure gettext("%s", user_input) is not safe, but this is flaw in the caller, not in the gettext. The same applies to Locale::Maketext::maketext(). Petr Pisar 2012-12-06 11:18:46 EST And actually the patch breaks behaviour because it forbids cross-package calls which were explicitly allowed and documented before. I disbelieve the patch is good candidate for stable distributions. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQx3bkAAoJEBYNRVNeJnmTJPMP/3+IY9tuNyQ4aSRLHCaLpqmZ RREnjXeRouJtgaTqVuBBSwPSxAJ8fXfY1a0aM+euZBWWxAF1tp2EWlClMk5CFjg4 KNOb4f8v4mOuJq/8F2TebGIz+8C7dp7rTpOwadncV38RcbwlXL72QEPdTW2n9t+L FrycDQhCTx1lo5/oj5Jju7CWnDo2jPGnFHgmdyroqefNpS1muoJM9IeSJPnPANOQ g/0TXEeC8gehzbpvRrG0NRje+Pf3nMw/9t8JwKj3pDXrB0nVYLBIgMQdUv+sgYXw AxF4LEa1iKIddl2NwAMHC/lw3w1CoANgb34iqKwm64yIAe88LWfPrHOPHWRRNdgp 5bj44AMsfMXj/iPnw5ArISNZiLSWW33yKP9gKZUcmGtLgEof4bbhwPmnLWGZtYkQ 7EhBl0d+HExgEtoyWMbzJLCXe1EMvIBJji6nnkWpNX1uRIFRRy9171ooQr2mc/mn EWuDSSV3BNyxjJdLPDvG0zzBC7uWm6fa7TWFGODeWEdIlw4x8gXG3ExcpNNa+P5j YfC2FiypfhpWQYdl06jExFgNWvthmatM1YrFmQZtuklkxk8MxCOS2wsYSUEUAGor wK0NMliayfgnApjFJp0DlnYbHU4JdgX3rkAVu4hUQe8pfeo3tkPWiECB5JOXalG3 afN6lI2zn0wV9+UgYpKY =ITgy -----END PGP SIGNATURE-----
Current thread:
- CVE request: perl-modules Jamie Strandboge (Dec 11)
- Re: CVE request: perl-modules Kurt Seifried (Dec 11)
- <Possible follow-ups>
- Re: CVE request: perl-modules cve-assign (Dec 12)