Bug#695224: perl-modules: Locale::Maketext code injection
Paul Harvey
csirac2 at gmail.com
Mon Mar 11 03:37:31 UTC 2013
Hi there,
On Fri, Jan 18, 2013 at 03:06:38PM +0000, Dominic Hargreaves wrote:
...
> Debian stable. As such I'd be very interested in hearing from anyone
> who has real world examples of this breaking things.
It's worth pointing out that you've now got Locale::Maketext 1.23, minus
the doc changes and version bump. That's the only real code change
between 1.19 and 1.23 - so calling this 1.19 makes life harder for
projects like Foswiki to sanity-check the users' environment.
Take a look at the Locale::Maketext 1.19..master diff for yourself:
https://github.com/toddr/Locale-Maketext/compare/84a644...master
Compared to the diff which I think was applied in perl-modules:
http://perl5.git.perl.org/perl.git/blobdiff/569ba91fcdabdc53eb4284f860a25273bd7fe4e1..1735f6f53ca19f99c6e9e39496c486af323ba6a8:/dist/Locale-Maketext/lib/Locale/Maketext.pm
Foswiki uses Locale::Maketext when internationalization is enabled, so
we've had our own CVE response -
http://foswiki.org/Support/SecurityAlert-CVE-2012-6329.
As part of the fix, we perform additional escaping before calling
Locale::Maketext if the version is < 1.23.
The Debian-patched 1.19 of course already has the escaping code, so we
end up with double-escaping issues.
As we're now getting user complaints on Debian systems, we will have to
come up with a technical solution to this problem but I think it'd also
make sense for Debian to simply ship Locale::Maketext 1.23 proper.
Here's the changelog, FWIW
http://cpansearch.perl.org/src/TODDR/Locale-Maketext-1.23/ChangeLog
Cheers
--
Paul Harvey
Foswiki developer
More information about the Perl-maintainers
mailing list