[Bug 884354] CVE-2012-6329 perl: possible arbitrary code execution via Locale::Maketext

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Product: Security Response
https://bugzilla.redhat.com/show_bug.cgi?id=884354

Vincent Danen <vdanen@xxxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|perl: possible arbitrary    |CVE-2012-6329 perl:
                   |code execution via          |possible arbitrary code
                   |Locale::Maketext            |execution via
                   |                            |Locale::Maketext
              Alias|                            |CVE-2012-6329

--- Comment #6 from Vincent Danen <vdanen@xxxxxxxxxx> ---
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-6329 to
the following vulnerability:

Name: CVE-2012-6329
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329
Assigned: 20121210
Reference: http://sourceforge.net/mailarchive/message.php?msg_id=30219695
Reference: http://openwall.com/lists/oss-security/2012/12/11/4
Reference: http://code.activestate.com/lists/perl5-porters/187763/
Reference: http://code.activestate.com/lists/perl5-porters/187746/
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=884354
Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224
Reference: http://perl5.git.perl.org/perl.git/blob/HEAD:/pod/perl5177delta.pod
Reference:
http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8
Reference: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329

The _compile function in Maketext.pm in the Locale::Maketext
implementation in Perl before 5.17.7 does not properly handle
backslashes and fully qualified method names during compilation of
bracket notation, which allows context-dependent attackers to execute
arbitrary commands via crafted input to an application that accepts
translation strings from users, as demonstrated by the TWiki
application before 5.1.3, and the Foswiki application 1.0.x through
1.0.10 and 1.1.x through 1.1.6.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=DLUKWyOMfX&a=cc_unsubscribe
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Legacy Announce]     [Fedora PHP Devel]     [Kernel Devel]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite Information]
  Powered by Linux