1025906 – Locale::Maketext interpolating escaped backslashes improperly

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1025906 - Locale::Maketext interpolating escaped backslashes improperly

Summary: Locale::Maketext interpolating escaped backslashes improperly

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	perl
Sub Component:
Version:	6.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Petr Pisar
QA Contact:	Martin Kyral
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1070830 1159820
TreeView+	depends on / blocked

Reported:	2013-11-01 22:25 UTC by Dan Eggleston
Modified:	2015-07-22 05:59 UTC (History)
CC List:	6 users (show)
Fixed In Version:	perl-5.10.1-138.el6
Doc Type:	Bug Fix
Doc Text:	The Perl Locale::Maketext localization framework did not properly translate the backslash (\) characters. As a consequence, Perl rendered the backslashes as double (\\). With this update, Perl no longer escapes the backslashes in literal output strings, and they appear correctly.
Clone Of:
Clones:	1026761 1026763 1029016 (view as bug list)
Environment:
Last Closed:	2015-07-22 05:59:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Reproducer (916 bytes, text/plain) 2013-11-04 13:04 UTC, Petr Pisar	no flags	Details
Upstream partial fix for non-parametrized case (1.38 KB, patch) 2013-11-04 14:34 UTC, Petr Pisar	no flags	Details \| Diff
Proposed fix for parametrized case (3.29 KB, patch) 2013-11-05 11:24 UTC, Petr Pisar	no flags	Details \| Diff
Upstream fix (3.53 KB, patch) 2013-11-11 09:41 UTC, Petr Pisar	no flags	Details \| Diff
Upstream tests (870 bytes, text/plain) 2013-11-11 13:23 UTC, Petr Pisar	no flags	Details
Upstream fix ported to 5.8.8 (3.56 KB, patch) 2014-02-11 14:53 UTC, Petr Pisar	no flags	Details \| Diff
Upstream fix ported to 5.10.1 (3.63 KB, patch) 2015-01-07 08:13 UTC, Petr Pisar	no flags	Details \| Diff
Show Obsolete (2) View All

Links
System	ID	Priority	Status	Summary	Last Updated
CPAN	120457	None	None	None	Never
Red Hat Bugzilla	884354	medium	CLOSED	CVE-2012-6329 perl: possible arbitrary code execution via Locale::Maketext	2021-10-25 08:56:54 UTC
Red Hat Product Errata	RHBA-2015:1266	normal	SHIPPED_LIVE	perl bug fix update	2015-07-20 17:49:38 UTC

Internal Links: 884354

Description Dan Eggleston 2013-11-01 22:25:28 UTC

Description of problem:
When a literal backslash is in an L10N value, it is treated nonuniformly by the Locale::Maketext::_compile method, as patched by RH in Locale::Maketext::Guts (per https://bugzilla.redhat.com/show_bug.cgi?id=884354).  The result depends on unrelated parts of the string.


Version-Release number of selected component (if applicable):
perl-5.10.1-131.el6_4.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Create a language token, whose value is 'Some data\n'
2. Query the language token through Locale::Maketext ($lh->maketext($tag))

Actual results:
'Some data\\n'

Expected results:
'Some data\n'

Additional info:

The behavior changes in the following cases:
1) If the value contains a tokenized field, behavior depends on whether there is a trailing newline:

'[_1]Some data\n' => 'Some data\n'
'[_1]Some data\n'."\n" => 'Some data\\n
'
2) If the escaped backslash is in a function call, it behaves as expected:

'Some data[sprintf,\n]' => 'Some data\n'



NOTE: All of these cases in standard perl (with Locale::Maketext v 1.13 from CPAN) behave exactly the same as each other, and they all produce just a single '\' before the 'n'.

Comment 2 Petr Pisar 2013-11-04 12:16:19 UTC

The 'Some data\n' is due to back-porting the fix to perl 5.10.1.

The parameterized case behaves for me differently and is caused by the changes in the fix. Even latest Locale::Maketext is affected.

Comment 3 Petr Pisar 2013-11-04 13:04:39 UTC

Created attachment 819144 [details]
Reproducer

Comment 4 Petr Pisar 2013-11-04 14:34:59 UTC

Created attachment 819195 [details]
Upstream partial fix for non-parametrized case

Comment 6 Petr Pisar 2013-11-05 11:24:06 UTC

Created attachment 819662 [details]
Proposed fix for parametrized case

Comment 7 Petr Pisar 2013-11-11 09:41:00 UTC

Created attachment 822328 [details]
Upstream fix

Fix accepted by upstream in slightly different form. Only this one is needed to fix the regression.

Comment 8 Petr Pisar 2013-11-11 13:23:50 UTC

Created attachment 822402 [details]
Upstream tests

Use this script for tests.

Comment 9 Petr Pisar 2014-02-11 14:53:42 UTC

Created attachment 861802 [details]
Upstream fix ported to 5.8.8

This adds additional required fix for literal strings.

Comment 11 Joe Orton 2014-08-27 11:08:00 UTC

Dan, if this is an issue for you on productions systems, please raise a ticket through your regular Red Hat support channels to make certain it receives the proper attention and prioritization to assure a timely resolution.

http://www.redhat.com/en/services/support

Comment 13 Dan Eggleston 2014-08-27 11:24:47 UTC

Thanks, Joe. I was able to work around this by wrapping the character escapes within sprintf function calls, so production systems are no longer affected.

Comment 15 Petr Pisar 2015-01-07 08:13:00 UTC

Created attachment 977122 [details]
Upstream fix ported to 5.10.1

Comment 16 Petr Pisar 2015-01-07 08:58:28 UTC

How to test:

(1) Run the reproducer from attachment #8 [details].
(2) Check the output:
Before: Some back-slashes are doubled.
After: There are only single back-slashes.

Comment 21 errata-xmlrpc 2015-07-22 05:59:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1266.html

Note You need to log in before you can comment on or make changes to this bug.