Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 11 Dec 2012 11:09:40 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jamie Strandboge <jamie@...onical.com>, coley@...us.mitre.org,
        security <security@...ntu.com>
Subject: Re: CVE request: perl-modules

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/11/2012 09:56 AM, Jamie Strandboge wrote:
> Debian recently fixed the following security bug: 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224
> 
> "Locale::Maketext is a core l10n library that expands templates
> found in strings.
> 
> Two problems were found, reported, and patched-for by Brian Carlson
> of cPanel, and these fixes are now in blead and on the CPAN.
> 
> The commit in question is 
> http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8
>
>  The flaws are:
> 
> * in a [method,x,y,z] template, the method could be a
> fully-qualified name * template expansion did not properly quote
> metacharacters, allowing code injection through a malicious
> template
> 
> Please upgrade your Locale::Maketext, especially if you allow
> user-provided templates."

One of our guys has had a chance to look into this:

https://bugzilla.redhat.com/show_bug.cgi?id=884354

Petr Pisar 2012-12-06 10:08:20 EST

Created attachment 658787 [details]
Template for reproducer

Could show the attack vector? Attached is small code showing how to
use Locale::Maketext. Please modify it to explain the vulnerability.

I think the vulnerability is effective only when attacker has first
argument of maketext() under control.

However that means the attacker can run any code even without this
`vulnerability'. It's like saying glibc's gettext() is vulnerable. But
that's not true.

Sure gettext("%s", user_input) is not safe, but this is flaw in the
caller, not in the gettext. The same applies to
Locale::Maketext::maketext().

Petr Pisar 2012-12-06 11:18:46 EST

And actually the patch breaks behaviour because it forbids
cross-package calls which were explicitly allowed and documented
before. I disbelieve the patch is good candidate for stable distributions.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQx3bkAAoJEBYNRVNeJnmTJPMP/3+IY9tuNyQ4aSRLHCaLpqmZ
RREnjXeRouJtgaTqVuBBSwPSxAJ8fXfY1a0aM+euZBWWxAF1tp2EWlClMk5CFjg4
KNOb4f8v4mOuJq/8F2TebGIz+8C7dp7rTpOwadncV38RcbwlXL72QEPdTW2n9t+L
FrycDQhCTx1lo5/oj5Jju7CWnDo2jPGnFHgmdyroqefNpS1muoJM9IeSJPnPANOQ
g/0TXEeC8gehzbpvRrG0NRje+Pf3nMw/9t8JwKj3pDXrB0nVYLBIgMQdUv+sgYXw
AxF4LEa1iKIddl2NwAMHC/lw3w1CoANgb34iqKwm64yIAe88LWfPrHOPHWRRNdgp
5bj44AMsfMXj/iPnw5ArISNZiLSWW33yKP9gKZUcmGtLgEof4bbhwPmnLWGZtYkQ
7EhBl0d+HExgEtoyWMbzJLCXe1EMvIBJji6nnkWpNX1uRIFRRy9171ooQr2mc/mn
EWuDSSV3BNyxjJdLPDvG0zzBC7uWm6fa7TWFGODeWEdIlw4x8gXG3ExcpNNa+P5j
YfC2FiypfhpWQYdl06jExFgNWvthmatM1YrFmQZtuklkxk8MxCOS2wsYSUEUAGor
wK0NMliayfgnApjFJp0DlnYbHU4JdgX3rkAVu4hUQe8pfeo3tkPWiECB5JOXalG3
afN6lI2zn0wV9+UgYpKY
=ITgy
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.