Summary: | <perl-core/locale-maketext-1.230.0: Two Code Injection Vulnerabilities (CVE-2012-6329) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | perl |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/51498/ | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 504786 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2012-12-07 16:19:42 UTC
Fixed in 1.230.0. The $URL now says: "The vulnerabilities are reported in versions prior to 1.23." Arches, please test and mark stable: =perl-core/locale-maketext-1.230.0 Target keywords : "alpha amd64 arm hppa ia64 ppc s390 sh sparc x86" Stable for HPPA (including =virtual/perl-locale-maketext-1.230.0). amd64 stable ia64 stable ppc stable sparc stable x86 stable alpha stable arm stable s390/sh stable Thanks, everyone. New GLSA request filed. Original CVE - CVE-2012-6329 I am not sure, should we add CVE-2013-1666 here too(http://seclists.org/fulldisclosure/2013/Feb/107) CVE-2012-6329 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6329): The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6. Added a PDEPEND in dev-lang/perl-5.16.3 to make sure the upgraded, non-vulnerable perl-core package is installed. NOTE: this package is now called perl-core/Locale-Maketext (the capitalization has been changed to follow upstream) 5.16.x also masked for removal by dilfridge. This issue was resolved and addressed in GLSA 201410-02 at http://security.gentoo.org/glsa/glsa-201410-02.xml by GLSA coordinator Mikle Kolyada (Zlogene). |