Your message dated Mon, 10 Dec 2012 15:05:53 +0000
with message-id <[email protected]>
and subject line Bug#695224: fixed in perl 5.14.2-16
has caused the Debian Bug report #695224,
regarding perl-modules: Locale::Maketext code injection
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
695224: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: perl-modules
Severity: important
Version: 5.14.2-15
----- Forwarded message from Ricardo Signes <[email protected]> -----
Date: Wed, 5 Dec 2012 10:51:47 -0500
From: Ricardo Signes <[email protected]>
To: [email protected]
Subject: security notice: Locale::Maketext
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
RCVD_IN_DNSWL_HI,SPF_PASS,T_DKIM_INVALID autolearn=ham version=3.3.1
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.2
Locale::Maketext is a core l10n library that expands templates found in
strings.
Two problems were found, reported, and patched-for by Brian Carlson of cPanel,
and these fixes are now in blead and on the CPAN.
The commit in question is
http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8
The flaws are:
* in a [method,x,y,z] template, the method could be a fully-qualified name
* template expansion did not properly quote metacharacters, allowing
code injection through a malicious template
Please upgrade your Locale::Maketext, especially if you allow user-provided
templates.
--
rjbs
----- End forwarded message -----
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
--- End Message ---
--- Begin Message ---
Source: perl
Source-Version: 5.14.2-16
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominic Hargreaves <[email protected]> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 10 Dec 2012 12:47:14 +0000
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug libperl5.14
libperl-dev perl
Architecture: source all i386
Version: 5.14.2-16
Distribution: unstable
Urgency: medium
Maintainer: Niko Tyni <[email protected]>
Changed-By: Dominic Hargreaves <[email protected]>
Description:
libcgi-fast-perl - CGI::Fast Perl module
libperl-dev - Perl library: development files
libperl5.14 - shared Perl library
perl - Larry Wall's Practical Extraction and Report Language
perl-base - minimal Perl system
perl-debug - debug-enabled Perl interpreter
perl-doc - Perl documentation
perl-modules - Core Perl modules
Closes: 693420 695223 695224
Changes:
perl (5.14.2-16) unstable; urgency=medium
.
* [SECURITY] CVE-2012-5526: CGI.pm improper cookie and p3p
CRLF escaping (Closes: #693420)
* [SECURITY] Fix misparsing of maketext strings which could allow
arbitrary code execution from untrusted maketext templates
(Closes: #695224)
* [SECURITY] add warning to Storable documentation that Storable
documents should not be accepted from untrusted sources
(Closes: #695223)
Checksums-Sha1:
c8b7f6a30c413ea4b2e5c896cf1d17b13bafcbe2 1721 perl_5.14.2-16.dsc
9e8d151dcf329576a4b1a7657e9268dec06d0243 155151 perl_5.14.2-16.debian.tar.gz
e718582112c701aa54bc551bd46eb852c4644d40 74914
libcgi-fast-perl_5.14.2-16_all.deb
c8a40a664daeaac9caa70bba041de708d4d4aefc 8166594 perl-doc_5.14.2-16_all.deb
e9570fa287f148c8f23c186293ad32c240c6b220 3439114 perl-modules_5.14.2-16_all.deb
60c6d439372d063f69608a27a2a1bed02c01d6d7 1493988 perl-base_5.14.2-16_i386.deb
00b6946d0b2e1c268255be9da86bbbf18c083c45 9225014 perl-debug_5.14.2-16_i386.deb
1965addcfa618214b57a71e7ab134c9cd6fcff24 731478 libperl5.14_5.14.2-16_i386.deb
5bcb88cbcf38056ca23ea6bf045b6e09e15da29a 3054592 libperl-dev_5.14.2-16_i386.deb
22f7f5b2ed3af5d54aabb2ef2b12b09f6f9a641a 3700978 perl_5.14.2-16_i386.deb
Checksums-Sha256:
024b02816fce4888c75c2e4a41c25ea751c01cf40b138c51294fd14a4642cfde 1721
perl_5.14.2-16.dsc
ddd143e1ea79a706731bd362a421518f53cf1f8c8e7c431f95691787b8ba4117 155151
perl_5.14.2-16.debian.tar.gz
55eef21650fcdec9fd64a32519da6625cbef8011ef3020b907a2d01b25478085 74914
libcgi-fast-perl_5.14.2-16_all.deb
f4bc71ed91c741dc16353f4c2ddaaa27bffcc8db64c216eaefe93c56f3dc926d 8166594
perl-doc_5.14.2-16_all.deb
fdb7a02824aecc27a0616295990cd2fd5661d23997334aafa1d607b03ca07c84 3439114
perl-modules_5.14.2-16_all.deb
59deffd6f8f982874b684014a37df8abc5311e7a5c1f4aec5642aa4ee05e2f7c 1493988
perl-base_5.14.2-16_i386.deb
83590a117136029682c5a542d3d48459183f652cace5905cb029ad8f5d56e1a2 9225014
perl-debug_5.14.2-16_i386.deb
4af5cb0c464a7afc92a83b90d4fe00988b1bfcc3b22bbb9ba6fc54aafbd2fda2 731478
libperl5.14_5.14.2-16_i386.deb
e0a8860044e28dc0b3c1f1fca6b2b62dc287b67ee5cc8746492f92212d359b80 3054592
libperl-dev_5.14.2-16_i386.deb
c87257ae8f7221eeb523094bf578ae5fc4673b6af4a88e54ad9e238c5494f9ba 3700978
perl_5.14.2-16_i386.deb
Files:
858164359163428bf082fad51e300b7a 1721 perl standard perl_5.14.2-16.dsc
c5ae3219697cd323db59faa0d5aa53cd 155151 perl standard
perl_5.14.2-16.debian.tar.gz
303efa86279da45a8badeb4fd3e8ae0b 74914 perl optional
libcgi-fast-perl_5.14.2-16_all.deb
ad770d4148849db198b4c857bbcc8340 8166594 doc optional
perl-doc_5.14.2-16_all.deb
b4cfa2c0f754258e07c089bc4bcf18d1 3439114 perl standard
perl-modules_5.14.2-16_all.deb
bba51c64dd09a6e47d9b3f80416eb692 1493988 perl required
perl-base_5.14.2-16_i386.deb
a73a0072a482104c3e59711db2a09f2e 9225014 debug extra
perl-debug_5.14.2-16_i386.deb
043212af3300bc414fddadfcdacbbdcd 731478 libs optional
libperl5.14_5.14.2-16_i386.deb
9681b4d187a5901b74dfc7f1fbf04304 3054592 libdevel optional
libperl-dev_5.14.2-16_i386.deb
7ea94b65ead39491b13e6a3c00a8d492 3700978 perl standard perl_5.14.2-16_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFQxeayYzuFKFF44qURAr/PAJ4yAHz2cl1U+O0fZdG2aiPw0qEGHwCaAgB/
jQIpgbLwRp7n3lwotLWi8pw=
=8cNp
-----END PGP SIGNATURE-----
--- End Message ---
