Bug 8815 - perl-Locale-Maketext new security issue CVE-2012-6329
: perl-Locale-Maketext new security issue CVE-2012-6329
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/534040/
: has_procedure mga2-64-ok mga2-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-01-25 17:46 CET by David Walser
Modified: 2013-02-06 23:13 CET (History)
3 users (show)

See Also:
Source RPM: perl, perl-Locale-Maketext
CVE:
Status comment:


Attachments

Description David Walser 2013-01-25 17:46:08 CET
Fedora has issued an advisory on January 12:
http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097440.html

There is a copy of this module in our perl package itself too, as is the case in Fedora.  It's not immediately clear which versions are affected, but it should be easy to determine by checking to see if the upstream fix has already been applied.
Comment 1 Jerome Quelin 2013-02-04 16:49:58 CET
sorry for the delay.

perl-5.16.2-5.mga3 currently building in cauldron
perl-5.14.2-8.mga2 currently building in mga2 core/updates_testing

perl-Locale-Maketext is safe in cauldron
 perl-Locale-Maketext-1.220.0-2.mga2 currently building in mga2 core/updates_testing

please push perl-5.14.2-8.mga2 and perl-Locale-Maketext-1.220.0-2.mga2 to mga2 core/updates when it's uploaded (built was fine, it's currently waiting for upload).

Upstream advisory (don't know if we should keep full details):
=================================
Fixes a misparse of Locale::Maketext::maketext strings that could
lead to arbitrary code execution.  Basically, maketext was compiling
bracket notation into functions, but neglected to escape backslashes
inside the content or die on fully-qualified method names when
generating the code.  This change escapes all such backslashes and dies
when a method name with a colon or apostrophe is specified.
=================================
Comment 2 claire robinson 2013-02-05 10:52:39 CET
It needs a subrel bump Jerome

------------------
Core Updates
perl-5.14.2-8.mga2
------------------
Core Updates Testing
perl-5.14.2-8.mga2
------------------
Comment 3 claire robinson 2013-02-05 11:00:16 CET
I'm not able to reproduce so far. There is a basic use file here https://bugzilla.redhat.com/attachment.cgi?id=658787

I've modified the maketext line at the bottom with _0 and _9999999999

I notice with _0 it shows Hello My::Localize::cs_cz=HASH(0x14539f0)!
which doesn't look like a crash, and with _9999999999 it shows Hello ! with no excessive memory usage etc.

Any suggestions Jerome please? If we can't reproduce then this script can be used to validate it with anyway.
Comment 4 Jerome Quelin 2013-02-05 12:27:04 CET
Oops, sorry for the subrel. I just resubmitted it, it should be available soon.

I haven't looked at a reproducible snippet, since a) the security issue is dubious at best (allowing user input as a pattern is never a good idea) and b) I don't use this Perl module and thus am not familiar with it. Since I am short of tuits, I don't think we should bother further.
Comment 5 claire robinson 2013-02-05 12:37:35 CET
Thanks Jerome
Comment 6 claire robinson 2013-02-05 15:54:48 CET
SRPM: perl-5.14.2-8.1.mga2.src.rpm
----------------------------------
perl-base
perl-devel
perl-doc
perl

SRPM: perl-Locale-Maketext-1.220.0-2.mga2.src.rpm
-------------------------------------------------
perl-Locale-Maketext
Comment 7 claire robinson 2013-02-05 17:02:37 CET
Testing complete mga2 64

Looking for good ways to test the perl installation I found instmodsh from perl-devel.

It should list all installed perl modules IINM, .

Tested with current and updated versions and it only lists Perl itself.

$ instmodsh
Available commands are:
   l            - List all installed modules
   m <module>   - Select a module
   q            - Quit the program
cmd? l
Installed modules are:
   Perl
cmd? q

Is this a bug Jerome or expected behaviour?

$ perl -V

shows no obvious errors and

$ $ perl -e 'print "Hello World!\n";'
Hello World!

Tested with MCC general use

Also tested perl-Locale-Maketext with the script from comment 3

$ perl 8815.pl
Ahoj, foo!
Comment 8 claire robinson 2013-02-05 18:51:25 CET
Testing complete mga2 32 in the same way

Validating

Jerome could you still respond to the query in comment 7 please. If it is a bug and not a feature I will create one for it.


Advisory
=================================
Fixes a misparse of Locale::Maketext::maketext strings that could
lead to arbitrary code execution.  Basically, maketext was compiling
bracket notation into functions, but neglected to escape backslashes
inside the content or die on fully-qualified method names when
generating the code.  This change escapes all such backslashes and dies
when a method name with a colon or apostrophe is specified.(CVE-2012-6329)
=================================

SRPM's
perl-5.14.2-8.1.mga2.src.rpm
perl-Locale-Maketext-1.220.0-2.mga2.src.rpm

Could sysadmin please push from core/updates_testing to core/updates.

Thanks!
Comment 9 David Walser 2013-02-05 19:56:09 CET
References for the advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329
http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097440.html

Also, the CVE text might be better for the advisory:

The _compile function in Maketext.pm in the Locale::Maketext implementation in
Perl before 5.17.7 does not properly handle backslashes and fully qualified
method names during compilation of bracket notation, which allows context-
dependent attackers to execute arbitrary commands via crafted input to an
application that accepts translation strings from users (CVE-2012-6329).
Comment 10 David Walser 2013-02-05 20:35:41 CET
Patches checked into Mageia 1 perl and perl-Locale-Maketext packages in SVN.
Comment 11 Jerome Quelin 2013-02-06 09:16:21 CET
This is because ExtUtils::Installed (the module used by instmodsh) is relying on .packlist, which is a file getting appended when a module is installed.
However, since we package modules using rpm, we do not use .packlist, otherwise it would cause massive conflict on the same file.

To know the list of installed modules, install pmtools package and run pmall. pmvers allows you to get the module version.
Comment 12 claire robinson 2013-02-06 12:03:25 CET
Thanks Jerome, if it's a feature and not a bug it's fine.
Comment 13 Thomas Backlund 2013-02-06 23:13:39 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0032

Note You need to log in before you can comment on or make changes to this bug.