| Store | Cart

security notice: Locale::Maketext

From: Ricardo Signes <perl...@rjbs.manxome.org>
Wed, 5 Dec 2012 10:51:47 -0500
Locale::Maketext is a core l10n library that expands templates found in
strings.

Two problems were found, reported, and patched-for by Brian Carlson of cPanel,
and these fixes are now in blead and on the CPAN.

The commit in question is
http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8

The flaws are:

* in a [method,x,y,z] template, the method could be a fully-qualified name
* template expansion did not properly quote metacharacters, allowing
  code injection through a malicious template

Please upgrade your Locale::Maketext, especially if you allow user-provided
templates.

-- 
rjbs

Recent Messages in this Thread
Ricardo Signes Dec 05, 2012 03:51 pm
Dominic Hargreaves Dec 05, 2012 06:51 pm
Ricardo Signes Dec 05, 2012 09:05 pm
Dominic Hargreaves Dec 09, 2012 12:12 am
Leon Timmermans Dec 09, 2012 12:43 am
brian m. carlson Dec 09, 2012 01:49 am
Thomas Sibley Dec 05, 2012 09:43 pm
Messages in this thread