Bug#695224: Locale::Maketext security fix: real world breakage?
Giuseppe Iuculano
giuseppe at iuculano.it
Wed Feb 6 15:59:17 UTC 2013
Hi Dominic,
On 04/02/2013 21:28, Dominic Hargreaves wrote:
> I had no replies about this, so I think it's time to bite the bullet
> and decide whether we should target this fix at
>
> - stable-security
> - stable
> - neither of the above.
>
> I think I'm leaning towards stable on the basis that that's a slightly
> safer place to land a possibly-problematic fix, as well as the fact I
> don't know of any real world exploits for this, but I an open to (and
> welcome) all comments.
>
> I seem to remember reading that a point release of squeeze is
> due quite soon, but I couldn't find an announcment of such.
from http://openwall.com/lists/oss-security/2012/12/11/4:
"I think the vulnerability is effective only when attacker has first
argument of maketext() under control.
However that means the attacker can run any code even without this
`vulnerability'. It's like saying glibc's gettext() is vulnerable. But
that's not true.
Sure gettext("%s", user_input) is not safe, but this is flaw in the
caller, not in the gettext. The same applies to
Locale::Maketext::maketext().
Petr Pisar 2012-12-06 11:18:46 EST"
This is CVE-2012-6329 and I think this doesn't warrant a DSA, please fix
it in stable.
Cheers,
Giuseppe.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/perl-maintainers/attachments/20130206/e0599dbe/attachment.pgp>
More information about the Perl-maintainers
mailing list