From $URL : Description Two vulnerabilities have been reported in Locale::Maketext module for Perl, which can be exploited by malicious users to compromise an application using the module. The vulnerabilities are caused due to the "_compile()" function not properly sanitising input, which can be exploited to inject and execute arbitrary Perl code. The vulnerabilities are reported in version 1.23. Prior versions may also be affected. Solution Fixed in the GIT repository:
Fixed in 1.230.0. The $URL now says: "The vulnerabilities are reported in versions prior to 1.23."
Arches, please test and mark stable: =perl-core/locale-maketext-1.230.0 Target keywords : "alpha amd64 arm hppa ia64 ppc s390 sh sparc x86"
Stable for HPPA (including =virtual/perl-locale-maketext-1.230.0).
amd64 stable
ia64 stable
ppc stable
sparc stable
x86 stable
alpha stable
arm stable
s390/sh stable
Thanks, everyone. New GLSA request filed.
Original CVE - CVE-2012-6329 I am not sure, should we add CVE-2013-1666 here too(http://seclists.org/fulldisclosure/2013/Feb/107)
CVE-2012-6329 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6329): The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.
Added a PDEPEND in dev-lang/perl-5.16.3 to make sure the upgraded, non-vulnerable perl-core package is installed. NOTE: this package is now called perl-core/Locale-Maketext (the capitalization has been changed to follow upstream)
5.16.x also masked for removal by dilfridge.
This issue was resolved and addressed in GLSA 201410-02 at http://security.gentoo.org/glsa/glsa-201410-02.xml by GLSA coordinator Mikle Kolyada (Zlogene).