| Store | Cart

Re: security notice: Locale::Maketext

From: Thomas Sibley <t...@bestpractical.com>
Wed, 05 Dec 2012 13:43:25 -0800
On 12/05/2012 07:51 AM, Ricardo Signes wrote:
> Locale::Maketext is a core l10n library that expands templates found in> strings.> > Two problems were found, reported, and patched-for by Brian Carlson of cPanel,> and these fixes are now in blead and on the CPAN.> > The commit in question is> http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8> > The flaws are:> > * in a [method,x,y,z] template, the method could be a fully-qualified name> * template expansion did not properly quote metacharacters, allowing>   code injection through a malicious template> > Please upgrade your Locale::Maketext, especially if you allow user-provided> templates.

The commit mentioned above prevents cross-package method calls, but
still leaves any of the methods in the Locale::Maketext subclass wide
open.  This makes it easy for a security problem to crop up again.

For example: _try_use is a near miss.  If, through seemingly harmless
cleanup, it's ever made into a method, it will allow arbitrary eval via

Another example: User provided loc-strings have full access to
CORE::sprintf() via Locale::Maketext::sprintf(), and generally
user-provided format strings are a red flag (although not necessarily
exploitable in the current maketext implementation).

Existing subclasses, though not Perl's responsibility, may already have
viable attack vectors via added methods.  Upgrading Locale::Maketext
won't fix those, and there should probably be some doc warning subclass
authors (i.e. any Locale::Maketext user :) about it so that they don't
think upgrading is the complete fix.


Recent Messages in this Thread
Ricardo Signes Dec 05, 2012 03:51 pm
Dominic Hargreaves Dec 05, 2012 06:51 pm
Ricardo Signes Dec 05, 2012 09:05 pm
Dominic Hargreaves Dec 09, 2012 12:12 am
Leon Timmermans Dec 09, 2012 12:43 am
brian m. carlson Dec 09, 2012 01:49 am
Thomas Sibley Dec 05, 2012 09:43 pm
Messages in this thread