Fedora has issued an advisory on January 12: http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097440.html There is a copy of this module in our perl package itself too, as is the case in Fedora. It's not immediately clear which versions are affected, but it should be easy to determine by checking to see if the upstream fix has already been applied.
Whiteboard: (none) => MGA2TOO
sorry for the delay. perl-5.16.2-5.mga3 currently building in cauldron perl-5.14.2-8.mga2 currently building in mga2 core/updates_testing perl-Locale-Maketext is safe in cauldron perl-Locale-Maketext-1.220.0-2.mga2 currently building in mga2 core/updates_testing please push perl-5.14.2-8.mga2 and perl-Locale-Maketext-1.220.0-2.mga2 to mga2 core/updates when it's uploaded (built was fine, it's currently waiting for upload). Upstream advisory (don't know if we should keep full details): ================================= Fixes a misparse of Locale::Maketext::maketext strings that could lead to arbitrary code execution. Basically, maketext was compiling bracket notation into functions, but neglected to escape backslashes inside the content or die on fully-qualified method names when generating the code. This change escapes all such backslashes and dies when a method name with a colon or apostrophe is specified. =================================
CC: (none) => jquelinSee Also: (none) => https://bugzilla.redhat.com/show_bug.cgi?id=884354Assignee: jquelin => qa-bugs
Version: Cauldron => 2Whiteboard: MGA2TOO => (none)
It needs a subrel bump Jerome ------------------ Core Updates perl-5.14.2-8.mga2 ------------------ Core Updates Testing perl-5.14.2-8.mga2 ------------------
Whiteboard: (none) => feedback
I'm not able to reproduce so far. There is a basic use file here https://bugzilla.redhat.com/attachment.cgi?id=658787 I've modified the maketext line at the bottom with _0 and _9999999999 I notice with _0 it shows Hello My::Localize::cs_cz=HASH(0x14539f0)! which doesn't look like a crash, and with _9999999999 it shows Hello ! with no excessive memory usage etc. Any suggestions Jerome please? If we can't reproduce then this script can be used to validate it with anyway.
Oops, sorry for the subrel. I just resubmitted it, it should be available soon. I haven't looked at a reproducible snippet, since a) the security issue is dubious at best (allowing user input as a pattern is never a good idea) and b) I don't use this Perl module and thus am not familiar with it. Since I am short of tuits, I don't think we should bother further.
Thanks Jerome
Whiteboard: feedback => has_procedure
SRPM: perl-5.14.2-8.1.mga2.src.rpm ---------------------------------- perl-base perl-devel perl-doc perl SRPM: perl-Locale-Maketext-1.220.0-2.mga2.src.rpm ------------------------------------------------- perl-Locale-Maketext
Testing complete mga2 64 Looking for good ways to test the perl installation I found instmodsh from perl-devel. It should list all installed perl modules IINM, . Tested with current and updated versions and it only lists Perl itself. $ instmodsh Available commands are: l - List all installed modules m <module> - Select a module q - Quit the program cmd? l Installed modules are: Perl cmd? q Is this a bug Jerome or expected behaviour? $ perl -V shows no obvious errors and $ $ perl -e 'print "Hello World!\n";' Hello World! Tested with MCC general use Also tested perl-Locale-Maketext with the script from comment 3 $ perl 8815.pl Ahoj, foo!
Whiteboard: has_procedure => has_procedure mga2-64-ok
Testing complete mga2 32 in the same way Validating Jerome could you still respond to the query in comment 7 please. If it is a bug and not a feature I will create one for it. Advisory ================================= Fixes a misparse of Locale::Maketext::maketext strings that could lead to arbitrary code execution. Basically, maketext was compiling bracket notation into functions, but neglected to escape backslashes inside the content or die on fully-qualified method names when generating the code. This change escapes all such backslashes and dies when a method name with a colon or apostrophe is specified.(CVE-2012-6329) ================================= SRPM's perl-5.14.2-8.1.mga2.src.rpm perl-Locale-Maketext-1.220.0-2.mga2.src.rpm Could sysadmin please push from core/updates_testing to core/updates. Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-ok
References for the advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329 http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097440.html Also, the CVE text might be better for the advisory: The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context- dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users (CVE-2012-6329).
Patches checked into Mageia 1 perl and perl-Locale-Maketext packages in SVN.
This is because ExtUtils::Installed (the module used by instmodsh) is relying on .packlist, which is a file getting appended when a module is installed. However, since we package modules using rpm, we do not use .packlist, otherwise it would cause massive conflict on the same file. To know the list of installed modules, install pmtools package and run pmall. pmvers allows you to get the module version.
Thanks Jerome, if it's a feature and not a bug it's fine.
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0032
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED