884354 – (CVE-2012-6329) CVE-2012-6329 perl: possible arbitrary code execution via Locale::Maketext

Bug 884354 (CVE-2012-6329) - CVE-2012-6329 perl: possible arbitrary code execution via Locale::Maketext

Summary: CVE-2012-6329 perl: possible arbitrary code execution via Locale::Maketext

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2012-6329
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://thread.gmane.org/gmane.comp.la...
Whiteboard:
Depends On:	884363 915690 915691 915692 915693
Blocks:	884356
TreeView+	depends on / blocked

Reported:	2012-12-06 03:28 UTC by Vincent Danen
Modified:	2021-05-14 14:13 UTC (History)
CC List:	17 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-03-26 19:58:00 UTC
Embargoed:

Attachments	(Terms of Use)
Template for reproducer (433 bytes, text/plain) 2012-12-06 15:08 UTC, Petr Pisar	no flags	Details
Upstream fix (3.37 KB, patch) 2013-01-11 10:34 UTC, Petr Pisar	no flags	Details \| Diff
Fix ported to perl-5.10.1 (3.29 KB, patch) 2013-03-04 12:01 UTC, Petr Pisar	no flags	Details \| Diff
Fix ported to perl-5.8.8 (3.05 KB, patch) 2013-03-04 15:58 UTC, Petr Pisar	no flags	Details \| Diff
Fix ported to perl-5.8.8 (3.06 KB, patch) 2013-03-05 10:09 UTC, Petr Pisar	no flags	Details \| Diff
Partial reproducer (495 bytes, text/plain) 2013-03-05 10:12 UTC, Petr Pisar	no flags	Details
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1025906	0	unspecified	CLOSED	Locale::Maketext interpolating escaped backslashes improperly	2021-02-22 00:41:40 UTC
Red Hat Bugzilla	1026761	1	None	None	None	2021-01-20 06:05:38 UTC
Red Hat Bugzilla	1026763	0	unspecified	CLOSED	Locale::Maketext interpolating escaped backslashes improperly	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHSA-2013:0685	0	normal	SHIPPED_LIVE	Moderate: perl security update	2013-03-26 23:26:59 UTC

Internal Links: 1025906 1026761 1026763

Description Vincent Danen 2012-12-06 03:28:11 UTC

A commit to the upstream perl git repository [1] indicated that perl's Locale::Maketext was vulnerable to a flaw that could lead to arbitrary code execution of this function was executed on user-supplied input.  Quoting the commit message:

Case 61251: This commit fixes a misparse of maketext strings that could
lead to arbitrary code execution.  Basically, maketext was compiling
bracket notation into functions, but neglected to escape backslashes
inside the content or die on fully-qualified method names when
generating the code.  This change escapes all such backslashes and dies
when a method name with a colon or apostrophe is specified.

[1] http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8

Comment 1 Vincent Danen 2012-12-06 04:05:18 UTC

In perl 5.8.8 and 5.10.1, this affected code is in lib/Locale/Maketext/Guts.pm, not lib/Locale/Maketext.pm (as implied in the git commit above).

Comment 2 Vincent Danen 2012-12-06 04:06:30 UTC

Created perl tracking bugs for this issue

Affects: fedora-all [bug 884363]

Comment 3 Petr Pisar 2012-12-06 15:08:20 UTC

Created attachment 658787 [details]
Template for reproducer

Could show the attack vector? Attached is small code showing how to use Locale::Maketext. Please modify it to explain the vulnerability.

I think the vulnerability is effective only when attacker has first argument of maketext() under control.

However that means the attacker can run any code even without this `vulnerability'. It's like saying glibc's gettext() is vulnerable. But that's not true.

Sure gettext("%s", user_input) is not safe, but this is flaw in the caller, not in the gettext. The same applies to Locale::Maketext::maketext().

Comment 4 Petr Pisar 2012-12-06 16:18:46 UTC

And actually the patch breaks behaviour because it forbids cross-package calls which were explicitly allowed and documented before. I disbelieve the patch is good candidate for stable distributions.

Comment 6 Vincent Danen 2013-01-04 21:59:53 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2012-6329 to
the following vulnerability:

Name: CVE-2012-6329
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329
Assigned: 20121210
Reference: http://sourceforge.net/mailarchive/message.php?msg_id=30219695
Reference: http://openwall.com/lists/oss-security/2012/12/11/4
Reference: http://code.activestate.com/lists/perl5-porters/187763/
Reference: http://code.activestate.com/lists/perl5-porters/187746/
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=884354
Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224
Reference: http://perl5.git.perl.org/perl.git/blob/HEAD:/pod/perl5177delta.pod
Reference: http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8
Reference: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329

The _compile function in Maketext.pm in the Locale::Maketext
implementation in Perl before 5.17.7 does not properly handle
backslashes and fully qualified method names during compilation of
bracket notation, which allows context-dependent attackers to execute
arbitrary commands via crafted input to an application that accepts
translation strings from users, as demonstrated by the TWiki
application before 5.1.3, and the Foswiki application 1.0.x through
1.0.10 and 1.1.x through 1.1.6.

Comment 7 Petr Pisar 2013-01-11 10:34:09 UTC

Created attachment 676781 [details]
Upstream fix

Comment 8 Fedora Update System 2013-01-24 21:54:45 UTC

perl-5.14.3-205.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2013-01-30 00:53:51 UTC

perl-5.16.2-237.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2013-02-19 01:37:48 UTC

perl-5.14.3-221.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Petr Pisar 2013-03-04 12:01:24 UTC

Created attachment 704920 [details]
Fix ported to perl-5.10.1

Comment 13 Petr Pisar 2013-03-04 15:58:52 UTC

Created attachment 705056 [details]
Fix ported to perl-5.8.8

Comment 14 Petr Pisar 2013-03-05 10:09:22 UTC

Created attachment 705349 [details]
Fix ported to perl-5.8.8

Corrected fix (previous version had unbalanced curly bracket).

Comment 15 Petr Pisar 2013-03-05 10:12:56 UTC

Created attachment 705351 [details]
Partial reproducer

This code based on the Template attachment demonstrates calling function from other module (POSIX::printf() in this case).

Comment 16 errata-xmlrpc 2013-03-26 19:27:44 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0685 https://rhn.redhat.com/errata/RHSA-2013-0685.html

Note You need to log in before you can comment on or make changes to this bug.