| Store | Cart

Re: security notice: Locale::Maketext

From: Dominic Hargreaves <d...@earth.li>
Wed, 5 Dec 2012 18:51:19 +0000
On Wed, Dec 05, 2012 at 10:51:47AM -0500, Ricardo Signes wrote:
> > Locale::Maketext is a core l10n library that expands templates found in> strings.> > Two problems were found, reported, and patched-for by Brian Carlson of cPanel,> and these fixes are now in blead and on the CPAN.> > The commit in question is> http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8> > The flaws are:> > * in a [method,x,y,z] template, the method could be a fully-qualified name> * template expansion did not properly quote metacharacters, allowing>   code injection through a malicious template> > Please upgrade your Locale::Maketext, especially if you allow user-provided> templates.

Hi Ricardo,

Thanks for this! I wondered (and the question has arised within the
Debian project) whether anyone might be relying on the previous
behaviour? Have you been able to do any assessment of this?


Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Recent Messages in this Thread
Ricardo Signes Dec 05, 2012 03:51 pm
Dominic Hargreaves Dec 05, 2012 06:51 pm
Ricardo Signes Dec 05, 2012 09:05 pm
Dominic Hargreaves Dec 09, 2012 12:12 am
Leon Timmermans Dec 09, 2012 12:43 am
brian m. carlson Dec 09, 2012 01:49 am
Thomas Sibley Dec 05, 2012 09:43 pm
Messages in this thread