security notice: Locale::Maketext

Front page | perl.perl5.porters | Postings from December 2012

security notice: Locale::Maketext

Thread Next

From:

Ricardo Signes

Date:

December 5, 2012 15:52

Subject:

security notice: Locale::Maketext

Message ID:

20121205155147.GE13908@cancer.codesimply.com


Locale::Maketext is a core l10n library that expands templates found in
strings.

Two problems were found, reported, and patched-for by Brian Carlson of cPanel,
and these fixes are now in blead and on the CPAN.

The commit in question is
http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8

The flaws are:

* in a [method,x,y,z] template, the method could be a fully-qualified name
* template expansion did not properly quote metacharacters, allowing
  code injection through a malicious template

Please upgrade your Locale::Maketext, especially if you allow user-provided
templates.

-- 
rjbs

Thread Next

security notice: Locale::Maketext by Ricardo Signes

Re: security notice: Locale::Maketext by Thomas Sibley
Re: security notice: Locale::Maketext by Dominic Hargreaves

Re: security notice: Locale::Maketext by Ricardo Signes

Locale::Maketext security fix: real world breakage? by Dominic Hargreaves
Re: security notice: Locale::Maketext: CVE? by Dominic Hargreaves

Re: security notice: Locale::Maketext: CVE? by Leon Timmermans

Re: security notice: Locale::Maketext: CVE? by brian m. carlson

nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About