Bug#695224: marked as done (perl-modules: Locale::Maketext code injection)

[Debian Bug Tracking System]

Your message dated Sun, 17 Feb 2013 00:17:05 +0000
with message-id <e1u6rwh-0002sn...@franck.debian.org>
and subject line Bug#695224: fixed in perl 5.10.1-17squeeze5
has caused the Debian Bug report #695224,
regarding perl-modules: Locale::Maketext code injection
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
695224: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: perl-modules
Severity: important
Version: 5.14.2-15

----- Forwarded message from Ricardo Signes <perl....@rjbs.manxome.org> -----

Date: Wed, 5 Dec 2012 10:51:47 -0500
From: Ricardo Signes <perl....@rjbs.manxome.org>
To: perl5-port...@perl.org
Subject: security notice: Locale::Maketext
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        RCVD_IN_DNSWL_HI,SPF_PASS,T_DKIM_INVALID autolearn=ham version=3.3.1
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.2


Locale::Maketext is a core l10n library that expands templates found in
strings.

Two problems were found, reported, and patched-for by Brian Carlson of cPanel,
and these fixes are now in blead and on the CPAN.

The commit in question is
http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8

The flaws are:

* in a [method,x,y,z] template, the method could be a fully-qualified name
* template expansion did not properly quote metacharacters, allowing
  code injection through a malicious template

Please upgrade your Locale::Maketext, especially if you allow user-provided
templates.

-- 
rjbs



----- End forwarded message -----

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

--- End Message ---

--- Begin Message ---

Source: perl
Source-Version: 5.10.1-17squeeze5

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 695...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <d...@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 16 Feb 2013 19:00:31 +0000
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug perl-suid 
libperl5.10 libperl-dev perl
Architecture: source all i386
Version: 5.10.1-17squeeze5
Distribution: stable
Urgency: low
Maintainer: Niko Tyni <nt...@debian.org>
Changed-By: Dominic Hargreaves <d...@earth.li>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.10 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
 perl-suid  - runs setuid Perl scripts
Closes: 695224
Changes: 
 perl (5.10.1-17squeeze5) stable; urgency=low
 .
   * [SECURITY] CVE-2012-6329: Fix misparsing of maketext strings which
     could allow arbitrary code execution from untrusted maketext templates
     (Closes: #695224)
Checksums-Sha1: 
 8c72b0929240f1ea92136bca9895d0a25a138d43 1422 perl_5.10.1-17squeeze5.dsc
 cdcd4aacaa51b069e4bedb46efaa4a2c6bce351a 122627 
perl_5.10.1-17squeeze5.debian.tar.gz
 f0d80bf963fac45caaacb563b7b22d3fd4340d72 53164 
libcgi-fast-perl_5.10.1-17squeeze5_all.deb
 c67f20e20758909002446195bbde2468cefd1397 7190518 
perl-doc_5.10.1-17squeeze5_all.deb
 3d27175e9a6d640bbaf239c67e496fec58086861 3490822 
perl-modules_5.10.1-17squeeze5_all.deb
 eed5c50fc8997388fca45f12d11db8a9cd9e5aab 980678 
perl-base_5.10.1-17squeeze5_i386.deb
 8a15bd198a5fe08d0c0d5844644066167fcd0338 6631194 
perl-debug_5.10.1-17squeeze5_i386.deb
 1d7f82c5b7662392d354e90455172f282b73ae9b 33244 
perl-suid_5.10.1-17squeeze5_i386.deb
 f2dd317b089dedc82310ca0da3d9a676789fb8ed 633128 
libperl5.10_5.10.1-17squeeze5_i386.deb
 60129a0055a1f6ac42a499e30b47a3040b0cdf17 2344808 
libperl-dev_5.10.1-17squeeze5_i386.deb
 54f4217589158be37ed5111feea1cc8b126fff0f 3780318 
perl_5.10.1-17squeeze5_i386.deb
Checksums-Sha256: 
 53b1e4d942da6b6acfefdc1f37c152198aaae2c10d1c4ec6575b3a0457f3119f 1422 
perl_5.10.1-17squeeze5.dsc
 0502185a1c2d583d83f9f73f7c76505e57794bbe495954d5c688c72e875e47e1 122627 
perl_5.10.1-17squeeze5.debian.tar.gz
 85f182dc5fe0cff5962ef237cca07590fcbc3494bf8fc8ba6ee6df91439230b0 53164 
libcgi-fast-perl_5.10.1-17squeeze5_all.deb
 28bd29a9a9d0c4dab6c59641c49c0e08bb1c8950ee39ca2992c31c3f59f05833 7190518 
perl-doc_5.10.1-17squeeze5_all.deb
 ee9b0f6033dc03f7d9a6da5b79a49cedd261baf91f707019cfd910d20844ab17 3490822 
perl-modules_5.10.1-17squeeze5_all.deb
 16842140b8d071eeb5b059d8e3c0d325740c7b3c978d4171d6d2b87ba36765ee 980678 
perl-base_5.10.1-17squeeze5_i386.deb
 b9a68b4f05fe1206b13fd93d2f52dde8117f92ab7d505af82f759a062c3a18b5 6631194 
perl-debug_5.10.1-17squeeze5_i386.deb
 2eeec97f04553220a613a4f598b5188affa80ce57a2e7dd80e245c20caf243a2 33244 
perl-suid_5.10.1-17squeeze5_i386.deb
 2d2d07619c6aa5de70789f8501e4b16dbc5b0a79cadca32d6f6f97bd76194ab4 633128 
libperl5.10_5.10.1-17squeeze5_i386.deb
 7609b3b7690951d056ee2a8f93a3ff2e5424d76c25a4607c108051ea23eb2c33 2344808 
libperl-dev_5.10.1-17squeeze5_i386.deb
 391064d20f7987f2582127367d29b0d4d35744a7c1909e1a18644fe96c831399 3780318 
perl_5.10.1-17squeeze5_i386.deb
Files: 
 4217d385ea86365d280f3eaedf511e17 1422 perl standard perl_5.10.1-17squeeze5.dsc
 d9891f099112f9f31df7b0d93ac41af2 122627 perl standard 
perl_5.10.1-17squeeze5.debian.tar.gz
 e7be9d04dee0aca2371f0f5ba8cdbb47 53164 perl optional 
libcgi-fast-perl_5.10.1-17squeeze5_all.deb
 1e685207d1d70fb1ba7583f7effd3e0e 7190518 doc optional 
perl-doc_5.10.1-17squeeze5_all.deb
 a961d6e881f661d9f5bcd14d69278a05 3490822 perl standard 
perl-modules_5.10.1-17squeeze5_all.deb
 43968c05b345613d0c03b8892d4a0606 980678 perl required 
perl-base_5.10.1-17squeeze5_i386.deb
 03881a6b92e8b68fdce1531aca9de100 6631194 debug extra 
perl-debug_5.10.1-17squeeze5_i386.deb
 334d0c55fbead2637db93ad1602b85bb 33244 perl optional 
perl-suid_5.10.1-17squeeze5_i386.deb
 5dad09ac11890abeac372374bdabe4bf 633128 libs optional 
libperl5.10_5.10.1-17squeeze5_i386.deb
 63c4e67d5e5542936f4250e3f9c93b32 2344808 libdevel optional 
libperl-dev_5.10.1-17squeeze5_i386.deb
 de97ac49d413379c81c14b65ff863458 3780318 perl standard 
perl_5.10.1-17squeeze5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFRIACwYzuFKFF44qURArtuAJ4wEKvdg64cbDnPNRoK8SDR4ZA64wCg8fKr
YVUf4Q/v8LQ8dEeKzAqiZL8=
=ourg
-----END PGP SIGNATURE-----

--- End Message ---