Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 446376 (CVE-2012-6329) - <perl-core/locale-maketext-1.230.0: Two Code Injection Vulnerabilities (CVE-2012-6329)
Summary: <perl-core/locale-maketext-1.230.0: Two Code Injection Vulnerabilities (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2012-6329
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/51498/
Whiteboard: B2 [glsa]
Keywords:
Depends on: perl-5.18-stable
Blocks:
  Show dependency tree
 
Reported: 2012-12-07 16:19 UTC by Agostino Sarubbo
Modified: 2014-10-12 08:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-12-07 16:19:42 UTC
From $URL :

Description
Two vulnerabilities have been reported in Locale::Maketext module for Perl, which can be exploited 
by malicious users to compromise an application using the module.

The vulnerabilities are caused due to the "_compile()" function not properly sanitising input, 
which can be exploited to inject and execute arbitrary Perl code.

The vulnerabilities are reported in version 1.23. Prior versions may also be affected.


Solution
Fixed in the GIT repository:
Comment 1 Torsten Veller (RETIRED) gentoo-dev 2012-12-26 08:23:44 UTC
Fixed in 1.230.0.

The $URL now says: "The vulnerabilities are reported in versions prior to 1.23."
Comment 2 Agostino Sarubbo gentoo-dev 2012-12-26 09:05:28 UTC
Arches, please test and mark stable:                                                                       
=perl-core/locale-maketext-1.230.0                                                                         
Target keywords : "alpha amd64 arm hppa ia64 ppc s390 sh sparc x86"
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2012-12-26 10:59:12 UTC
Stable for HPPA (including =virtual/perl-locale-maketext-1.230.0).
Comment 4 Agostino Sarubbo gentoo-dev 2012-12-26 13:56:02 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2012-12-26 13:56:39 UTC
ia64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2012-12-26 13:57:16 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2012-12-26 13:57:53 UTC
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2012-12-26 13:58:31 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2012-12-29 08:51:17 UTC
alpha stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-01-01 08:22:50 UTC
arm stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2013-01-01 19:21:12 UTC
s390/sh stable
Comment 12 Sean Amoss (RETIRED) gentoo-dev Security 2013-01-01 20:38:37 UTC
Thanks, everyone.

New GLSA request filed.
Comment 13 Sergey Popov gentoo-dev 2013-08-22 09:26:03 UTC
Original CVE - CVE-2012-6329

I am not sure, should we add CVE-2013-1666 here too(http://seclists.org/fulldisclosure/2013/Feb/107)
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2013-08-31 18:53:26 UTC
CVE-2012-6329 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6329):
  The _compile function in Maketext.pm in the Locale::Maketext implementation
  in Perl before 5.17.7 does not properly handle backslashes and fully
  qualified method names during compilation of bracket notation, which allows
  context-dependent attackers to execute arbitrary commands via crafted input
  to an application that accepts translation strings from users, as
  demonstrated by the TWiki application before 5.1.3, and the Foswiki
  application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.
Comment 15 Andreas K. Hüttel archtester gentoo-dev 2014-09-28 16:04:16 UTC
Added a PDEPEND in dev-lang/perl-5.16.3 to make sure the upgraded, non-vulnerable perl-core package is installed.

NOTE: this package is now called perl-core/Locale-Maketext  (the capitalization has been changed to follow upstream)
Comment 16 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-10-12 08:03:11 UTC
5.16.x also masked for removal by dilfridge.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-10-12 08:35:10 UTC
This issue was resolved and addressed in
 GLSA 201410-02 at http://security.gentoo.org/glsa/glsa-201410-02.xml
by GLSA coordinator Mikle Kolyada (Zlogene).