Product: Security Response https://bugzilla.redhat.com/show_bug.cgi?id=884354 --- Comment #3 from Petr Pisar <ppisar@xxxxxxxxxx> --- Created attachment 658787 --> https://bugzilla.redhat.com/attachment.cgi?id=658787&action=edit Template for reproducer Could show the attack vector? Attached is small code showing how to use Locale::Maketext. Please modify it to explain the vulnerability. I think the vulnerability is effective only when attacker has first argument of maketext() under control. However that means the attacker can run any code even without this `vulnerability'. It's like saying glibc's gettext() is vulnerable. But that's not true. Sure gettext("%s", user_input) is not safe, but this is flaw in the caller, not in the gettext. The same applies to Locale::Maketext::maketext(). -- You are receiving this mail because: You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
