Bug#695224: perl-modules: Locale::Maketext code injection
Dominic Hargreaves
dom at earth.li
Wed Dec 5 17:49:47 UTC 2012
Package: perl-modules
Severity: important
Version: 5.14.2-15
----- Forwarded message from Ricardo Signes <perl.p5p at rjbs.manxome.org> -----
Date: Wed, 5 Dec 2012 10:51:47 -0500
From: Ricardo Signes <perl.p5p at rjbs.manxome.org>
To: perl5-porters at perl.org
Subject: security notice: Locale::Maketext
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
RCVD_IN_DNSWL_HI,SPF_PASS,T_DKIM_INVALID autolearn=ham version=3.3.1
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.2
Locale::Maketext is a core l10n library that expands templates found in
strings.
Two problems were found, reported, and patched-for by Brian Carlson of cPanel,
and these fixes are now in blead and on the CPAN.
The commit in question is
http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8
The flaws are:
* in a [method,x,y,z] template, the method could be a fully-qualified name
* template expansion did not properly quote metacharacters, allowing
code injection through a malicious template
Please upgrade your Locale::Maketext, especially if you allow user-provided
templates.
--
rjbs
----- End forwarded message -----
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the Perl-maintainers
mailing list