Date: Tue, 11 Dec 2012 11:09:40 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Jamie Strandboge <jamie@...onical.com>, coley@...us.mitre.org, security <security@...ntu.com> Subject: Re: CVE request: perl-modules -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/11/2012 09:56 AM, Jamie Strandboge wrote: > Debian recently fixed the following security bug: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224 > > "Locale::Maketext is a core l10n library that expands templates > found in strings. > > Two problems were found, reported, and patched-for by Brian Carlson > of cPanel, and these fixes are now in blead and on the CPAN. > > The commit in question is > http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8 > > The flaws are: > > * in a [method,x,y,z] template, the method could be a > fully-qualified name * template expansion did not properly quote > metacharacters, allowing code injection through a malicious > template > > Please upgrade your Locale::Maketext, especially if you allow > user-provided templates." One of our guys has had a chance to look into this: https://bugzilla.redhat.com/show_bug.cgi?id=884354 Petr Pisar 2012-12-06 10:08:20 EST Created attachment 658787 [details] Template for reproducer Could show the attack vector? Attached is small code showing how to use Locale::Maketext. Please modify it to explain the vulnerability. I think the vulnerability is effective only when attacker has first argument of maketext() under control. However that means the attacker can run any code even without this `vulnerability'. It's like saying glibc's gettext() is vulnerable. But that's not true. Sure gettext("%s", user_input) is not safe, but this is flaw in the caller, not in the gettext. The same applies to Locale::Maketext::maketext(). Petr Pisar 2012-12-06 11:18:46 EST And actually the patch breaks behaviour because it forbids cross-package calls which were explicitly allowed and documented before. I disbelieve the patch is good candidate for stable distributions. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQx3bkAAoJEBYNRVNeJnmTJPMP/3+IY9tuNyQ4aSRLHCaLpqmZ RREnjXeRouJtgaTqVuBBSwPSxAJ8fXfY1a0aM+euZBWWxAF1tp2EWlClMk5CFjg4 KNOb4f8v4mOuJq/8F2TebGIz+8C7dp7rTpOwadncV38RcbwlXL72QEPdTW2n9t+L FrycDQhCTx1lo5/oj5Jju7CWnDo2jPGnFHgmdyroqefNpS1muoJM9IeSJPnPANOQ g/0TXEeC8gehzbpvRrG0NRje+Pf3nMw/9t8JwKj3pDXrB0nVYLBIgMQdUv+sgYXw AxF4LEa1iKIddl2NwAMHC/lw3w1CoANgb34iqKwm64yIAe88LWfPrHOPHWRRNdgp 5bj44AMsfMXj/iPnw5ArISNZiLSWW33yKP9gKZUcmGtLgEof4bbhwPmnLWGZtYkQ 7EhBl0d+HExgEtoyWMbzJLCXe1EMvIBJji6nnkWpNX1uRIFRRy9171ooQr2mc/mn EWuDSSV3BNyxjJdLPDvG0zzBC7uWm6fa7TWFGODeWEdIlw4x8gXG3ExcpNNa+P5j YfC2FiypfhpWQYdl06jExFgNWvthmatM1YrFmQZtuklkxk8MxCOS2wsYSUEUAGor wK0NMliayfgnApjFJp0DlnYbHU4JdgX3rkAVu4hUQe8pfeo3tkPWiECB5JOXalG3 afN6lI2zn0wV9+UgYpKY =ITgy -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.