[Bug 884354] CVE-2012-6329 perl: possible arbitrary code execution via Locale::Maketext

bugzilla at redhat.com bugzilla at redhat.com
Fri Jan 4 21:59:53 UTC 2013 

Product: Security Response
https://bugzilla.redhat.com/show_bug.cgi?id=884354

Vincent Danen <vdanen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|perl: possible arbitrary    |CVE-2012-6329 perl:
                   |code execution via          |possible arbitrary code
                   |Locale::Maketext            |execution via
                   |                            |Locale::Maketext
              Alias|                            |CVE-2012-6329

--- Comment #6 from Vincent Danen <vdanen at redhat.com> ---
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-6329 to
the following vulnerability:

Name: CVE-2012-6329
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329
Assigned: 20121210
Reference: http://sourceforge.net/mailarchive/message.php?msg_id=30219695
Reference: http://openwall.com/lists/oss-security/2012/12/11/4
Reference: http://code.activestate.com/lists/perl5-porters/187763/
Reference: http://code.activestate.com/lists/perl5-porters/187746/
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=884354
Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224
Reference: http://perl5.git.perl.org/perl.git/blob/HEAD:/pod/perl5177delta.pod
Reference:
http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8
Reference: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329

The _compile function in Maketext.pm in the Locale::Maketext
implementation in Perl before 5.17.7 does not properly handle
backslashes and fully qualified method names during compilation of
bracket notation, which allows context-dependent attackers to execute
arbitrary commands via crafted input to an application that accepts
translation strings from users, as demonstrated by the TWiki
application before 5.1.3, and the Foswiki application 1.0.x through
1.0.10 and 1.1.x through 1.1.6.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=DLUKWyOMfX&a=cc_unsubscribe

More information about the perl-devel mailing list