| Store | Cart

Re: security notice: Locale::Maketext

From: Dominic Hargreaves <d...@earth.li>
Wed, 5 Dec 2012 18:51:19 +0000 
On Wed, Dec 05, 2012 at 10:51:47AM -0500, Ricardo Signes wrote:
> > Locale::Maketext is a core l10n library that expands templates found in> strings.> > Two problems were found, reported, and patched-for by Brian Carlson of cPanel,> and these fixes are now in blead and on the CPAN.> > The commit in question is> http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8> > The flaws are:> > * in a [method,x,y,z] template, the method could be a fully-qualified name> * template expansion did not properly quote metacharacters, allowing>   code injection through a malicious template> > Please upgrade your Locale::Maketext, especially if you allow user-provided> templates.

Hi Ricardo,

Thanks for this! I wondered (and the question has arised within the
Debian project) whether anyone might be relying on the previous
behaviour? Have you been able to do any assessment of this?

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Recent Messages in this Thread
security notice: Locale::Maketext
 Ricardo Signes Dec 05, 2012 03:51 pm
 
Re: security notice: Locale::Maketext
 Dominic Hargreaves Dec 05, 2012 06:51 pm
 
 
Re: security notice: Locale::Maketext
 Ricardo Signes Dec 05, 2012 09:05 pm
 
 
 
Re: security notice: Locale::Maketext: CVE?
 Dominic Hargreaves Dec 09, 2012 12:12 am
 
 
 
 
Re: security notice: Locale::Maketext: CVE?
 Leon Timmermans Dec 09, 2012 12:43 am
 
 
 
 
 
Re: security notice: Locale::Maketext: CVE?
 brian m. carlson Dec 09, 2012 01:49 am
 
Re: security notice: Locale::Maketext
 Thomas Sibley Dec 05, 2012 09:43 pm
Messages in this thread