CPANSA-Locale-Maketext-2012-6329: Locale-Maketext vulnerability

Publisher	giterlizzi	Document category	csaf_security_advisory
Initial release date	2013-01-04T00:00:00	Engine	CSAF Perl Toolkit 0.25
Current release date	2013-01-04T00:00:00	Build Date
Current version	1	Status	final
CVSS v3.1 Base Score		Severity
Original language		Language	en
Also referred to

Vulnerability Description

The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.

Vulnerabilities

CVE-2012-6329

Vulnerability Description

Weakness	CWE-94 : Improper Control of Generation of Code ('Code Injection')

Product status

Known affected

Product

Score

Locale-Maketext less than 1.25

CVSS Version	CVSS Vector	CVSS Base Score	CVSS Base Severity
2.0	AV:N/AC:L/Au:N/C:P/I:P/A:P	7.5	High

giterlizzi

Namespace: https://github.com/giterlizzi/

gdt@cpan.org

References

CPANSA-Locale-Maketext-2012-6329 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2013/cpansa-locale-maketext-2012-6329.json
http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8 external
http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8
http://sourceforge.net/mailarchive/message.php?msg_id=30219695 external
http://sourceforge.net/mailarchive/message.php?msg_id=30219695
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224 external
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329 external
http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329
http://perl5.git.perl.org/perl.git/blob/HEAD:/pod/perl5177delta.pod external
http://perl5.git.perl.org/perl.git/blob/HEAD:/pod/perl5177delta.pod
http://openwall.com/lists/oss-security/2012/12/11/4 external
http://openwall.com/lists/oss-security/2012/12/11/4
http://code.activestate.com/lists/perl5-porters/187763/ external
http://code.activestate.com/lists/perl5-porters/187763/
http://code.activestate.com/lists/perl5-porters/187746/ external
http://code.activestate.com/lists/perl5-porters/187746/
https://bugzilla.redhat.com/show_bug.cgi?id=884354 external
https://bugzilla.redhat.com/show_bug.cgi?id=884354
http://rhn.redhat.com/errata/RHSA-2013-0685.html external
http://rhn.redhat.com/errata/RHSA-2013-0685.html
http://www.mandriva.com/security/advisories?name=MDVSA-2013:113 external
http://www.mandriva.com/security/advisories?name=MDVSA-2013:113
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0032 external
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0032
http://www.ubuntu.com/usn/USN-2099-1 external
http://www.ubuntu.com/usn/USN-2099-1
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html external
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.securityfocus.com/bid/56950 external
http://www.securityfocus.com/bid/56950
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735 external
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 external
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
CVE-2012-6329 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2012-6329

Revision history

Version	Date of the revision	Summary of the revision
1	Fri Jan 4 00:00:00 2013	First release

Sharing rules

TLP:WHITE
For the TLP version see: https://www.first.org/tlp/