From $URL :
Two vulnerabilities have been reported in Locale::Maketext module for Perl, which can be exploited
by malicious users to compromise an application using the module.
The vulnerabilities are caused due to the "_compile()" function not properly sanitising input,
which can be exploited to inject and execute arbitrary Perl code.
The vulnerabilities are reported in version 1.23. Prior versions may also be affected.
Fixed in the GIT repository:
Fixed in 1.230.0.
The $URL now says: "The vulnerabilities are reported in versions prior to 1.23."
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc s390 sh sparc x86"
Stable for HPPA (including =virtual/perl-locale-maketext-1.230.0).
New GLSA request filed.
Original CVE - CVE-2012-6329
I am not sure, should we add CVE-2013-1666 here too(http://seclists.org/fulldisclosure/2013/Feb/107)
The _compile function in Maketext.pm in the Locale::Maketext implementation
in Perl before 5.17.7 does not properly handle backslashes and fully
qualified method names during compilation of bracket notation, which allows
context-dependent attackers to execute arbitrary commands via crafted input
to an application that accepts translation strings from users, as
demonstrated by the TWiki application before 5.1.3, and the Foswiki
application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.
Added a PDEPEND in dev-lang/perl-5.16.3 to make sure the upgraded, non-vulnerable perl-core package is installed.
NOTE: this package is now called perl-core/Locale-Maketext (the capitalization has been changed to follow upstream)
5.16.x also masked for removal by dilfridge.
This issue was resolved and addressed in
GLSA 201410-02 at http://security.gentoo.org/glsa/glsa-201410-02.xml
by GLSA coordinator Mikle Kolyada (Zlogene).