Bug 884354 (CVE-2012-6329)
Summary: | CVE-2012-6329 perl: possible arbitrary code execution via Locale::Maketext | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||||||||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||||||||||
Severity: | medium | Docs Contact: | |||||||||||||||
Priority: | medium | ||||||||||||||||
Version: | unspecified | CC: | bleanhar, cweyl, iarnell, jialiu, jplesnik, kasal, lkundrak, lmeyer, mmaslano, perl-devel, perl-maint-list, ppisar, psabata, rc040203, rmillner, tcallawa, tkramer | ||||||||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||||||||
Target Release: | --- | ||||||||||||||||
Hardware: | All | ||||||||||||||||
OS: | Linux | ||||||||||||||||
URL: | http://thread.gmane.org/gmane.comp.lang.perl.perl5.porters/118434 | ||||||||||||||||
Whiteboard: | |||||||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||||
Clone Of: | Environment: | ||||||||||||||||
Last Closed: | 2013-03-26 19:58:00 UTC | Type: | --- | ||||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||||
Documentation: | --- | CRM: | |||||||||||||||
Verified Versions: | Category: | --- | |||||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||
Embargoed: | |||||||||||||||||
Bug Depends On: | 884363, 915690, 915691, 915692, 915693 | ||||||||||||||||
Bug Blocks: | 884356 | ||||||||||||||||
Attachments: |
|
Description
Vincent Danen
2012-12-06 03:28:11 UTC
In perl 5.8.8 and 5.10.1, this affected code is in lib/Locale/Maketext/Guts.pm, not lib/Locale/Maketext.pm (as implied in the git commit above). Created perl tracking bugs for this issue Affects: fedora-all [bug 884363] Created attachment 658787 [details]
Template for reproducer
Could show the attack vector? Attached is small code showing how to use Locale::Maketext. Please modify it to explain the vulnerability.
I think the vulnerability is effective only when attacker has first argument of maketext() under control.
However that means the attacker can run any code even without this `vulnerability'. It's like saying glibc's gettext() is vulnerable. But that's not true.
Sure gettext("%s", user_input) is not safe, but this is flaw in the caller, not in the gettext. The same applies to Locale::Maketext::maketext().
And actually the patch breaks behaviour because it forbids cross-package calls which were explicitly allowed and documented before. I disbelieve the patch is good candidate for stable distributions. Common Vulnerabilities and Exposures assigned an identifier CVE-2012-6329 to the following vulnerability: Name: CVE-2012-6329 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329 Assigned: 20121210 Reference: http://sourceforge.net/mailarchive/message.php?msg_id=30219695 Reference: http://openwall.com/lists/oss-security/2012/12/11/4 Reference: http://code.activestate.com/lists/perl5-porters/187763/ Reference: http://code.activestate.com/lists/perl5-porters/187746/ Reference: https://bugzilla.redhat.com/show_bug.cgi?id=884354 Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224 Reference: http://perl5.git.perl.org/perl.git/blob/HEAD:/pod/perl5177delta.pod Reference: http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8 Reference: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329 The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6. Created attachment 676781 [details]
Upstream fix
perl-5.14.3-205.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. perl-5.16.2-237.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. perl-5.14.3-221.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. Created attachment 704920 [details]
Fix ported to perl-5.10.1
Created attachment 705056 [details]
Fix ported to perl-5.8.8
Created attachment 705349 [details]
Fix ported to perl-5.8.8
Corrected fix (previous version had unbalanced curly bracket).
Created attachment 705351 [details]
Partial reproducer
This code based on the Template attachment demonstrates calling function from other module (POSIX::printf() in this case).
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:0685 https://rhn.redhat.com/errata/RHSA-2013-0685.html |