[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#700735: marked as done (pu: package perl/5.10.1-17squeeze5)

Your message dated Sat, 23 Feb 2013 11:56:55 +0000
with message-id <1361620615.20752.10.camel@jacala.jungle.funky-badger.org>
and subject line Closing p-u bugs included in point release
has caused the Debian Bug report #700735,
regarding pu: package perl/5.10.1-17squeeze5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
700735: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700735
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

A security update deemed not serious enough for a DSA, as discussed at
<http://bugs.debian.org/695224>. The security has requested this be
fixed in stable. The attached patch does so; please may I upload?

Thanks,
Dominic.

diff --git a/debian/changelog b/debian/changelog
index bc6d714..1f28a9b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+perl (5.10.1-17squeeze5) stable; urgency=low
+
+  * [SECURITY] CVE-2012-6329: Fix misparsing of maketext strings which
+    could allow arbitrary code execution from untrusted maketext templates
+    (Closes: #695224)
+
+ -- Dominic Hargreaves <dom@earth.li>  Sat, 16 Feb 2013 19:00:31 +0000
+
 perl (5.10.1-17squeeze4) stable-security; urgency=low
 
   * [SECURITY] CVE-2012-5195: fix a heap buffer overrun with
diff --git a/debian/patches/fixes/maketext-code-execution.diff b/debian/patches/fixes/maketext-code-execution.diff
new file mode 100644
index 0000000..2d09ad7
--- /dev/null
+++ b/debian/patches/fixes/maketext-code-execution.diff
@@ -0,0 +1,66 @@
+From: Brian Carlson <brian.carlson@cpanel.net>
+Subject: Fix misparsing of maketext strings.
+
+Case 61251: This commit fixes a misparse of maketext strings that could
+lead to arbitrary code execution.  Basically, maketext was compiling
+bracket notation into functions, but neglected to escape backslashes
+inside the content or die on fully-qualified method names when
+generating the code.  This change escapes all such backslashes and dies
+when a method name with a colon or apostrophe is specified.
+
+Backported to 5.10.1 by Dominic Hargreaves.
+
+Bug-Debian: http://bugs.debian.org/695224
+Origin: http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8
+Patch-Name: fixes/maketext-code-execution.diff
+
+diff --git a/lib/Locale/Maketext/Guts.pm b/lib/Locale/Maketext/Guts.pm
+index 9af292c..0a3bacf 100644
+--- a/lib/Locale/Maketext/Guts.pm
++++ b/lib/Locale/Maketext/Guts.pm
+@@ -140,21 +140,9 @@ sub _compile {
+                         # 0-length method name means to just interpolate:
+                         push @code, ' (';
+                     }
+-                    elsif($m =~ /^\w+(?:\:\:\w+)*$/s
+-                            and $m !~ m/(?:^|\:)\d/s
+-                        # exclude starting a (sub)package or symbol with a digit
++                    elsif($m =~ /^\w+$/s
++                        # exclude anything fancy, especially fully-qualified module names
+                     ) {
+-                        # Yes, it even supports the demented (and undocumented?)
+-                        #  $obj->Foo::bar(...) syntax.
+-                        $target->_die_pointing(
+-                            $_[1], q{Can't use "SUPER::" in a bracket-group method},
+-                            2 + length($c[-1])
+-                        )
+-                        if $m =~ m/^SUPER::/s;
+-                        # Because for SUPER:: to work, we'd have to compile this into
+-                        #  the right package, and that seems just not worth the bother,
+-                        #  unless someone convinces me otherwise.
+-
+                         push @code, ' $_[0]->' . $m . '(';
+                     }
+                     else {
+@@ -208,7 +196,9 @@ sub _compile {
+             elsif(substr($1,0,1) ne '~') {
+                 # it's stuff not containing "~" or "[" or "]"
+                 # i.e., a literal blob
+-                $c[-1] .= $1;
++                my $text = $1;
++                $text =~ s/\\/\\\\/g;
++                $c[-1] .= $text;
+ 
+             }
+             elsif($1 eq '~~') { # "~~"
+@@ -246,7 +236,9 @@ sub _compile {
+             else {
+                 # It's a "~X" where X is not a special character.
+                 # Consider it a literal ~ and X.
+-                $c[-1] .= $1;
++                my $text = $1;
++                $text =~ s/\\/\\\\/g;
++                $c[-1] .= $text;
+             }
+         }
+     }
diff --git a/debian/patches/patchlevel b/debian/patches/patchlevel
index 2a998f0..aab8c52 100644
--- a/debian/patches/patchlevel
+++ b/debian/patches/patchlevel
@@ -1,4 +1,4 @@
-Subject: List packaged patches for 5.10.1-17squeeze4 in patchlevel.h
+Subject: List packaged patches for 5.10.1-17squeeze5 in patchlevel.h
 Origin: vendor
 Bug-Debian: http://bugs.debian.org/567489
 
@@ -8,7 +8,7 @@ The list can be refreshed from information in debian/patches by running
 
 --- perl/patchlevel.bak
 +++ perl/patchlevel.h
-@@ -133,0 +134,59 @@
+@@ -133,0 +134,60 @@
 +	,"DEBPKG:debian/arm_thread_stress_timeout - http://bugs.debian.org/501970 Raise the timeout of ext/threads/shared/t/stress.t to accommodate slower build hosts"
 +	,"DEBPKG:debian/cpan_config_path - Set location of CPAN::Config to /etc/perl as /usr may not be writable."
 +	,"DEBPKG:debian/cpan_definstalldirs - Provide a sensible INSTALLDIRS default for modules installed from CPAN."
@@ -67,4 +67,5 @@ The list can be refreshed from information in debian/patches by running
 +	,"DEBPKG:fixes/CVE-2012-5195 - avoid calling memset with a negative count"
 +	,"DEBPKG:fixes/CVE-2012-5526 - [PATCH 1/4] CR escaping for P3P header"
 +	,"DEBPKG:fixes/storable-security-warning - [PATCH] add a note about security concerns in Storable"
-+	,"DEBPKG:patchlevel - http://bugs.debian.org/567489 List packaged patches for 5.10.1-17squeeze4 in patchlevel.h"
++	,"DEBPKG:fixes/maketext-code-execution - Fix misparsing of maketext strings."
++	,"DEBPKG:patchlevel - http://bugs.debian.org/567489 List packaged patches for 5.10.1-17squeeze5 in patchlevel.h"
diff --git a/debian/patches/series b/debian/patches/series
index 6eb1224..3a6f2e2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -56,4 +56,5 @@ fixes/unregister_signal_handler.diff
 fixes/CVE-2012-5195.diff
 fixes/CVE-2012-5526.diff
 fixes/storable-security-warning.diff
+fixes/maketext-code-execution.diff
 patchlevel -p1
diff --git a/lib/Locale/Maketext/Guts.pm b/lib/Locale/Maketext/Guts.pm
index 9af292c..0a3bacf 100644
--- a/lib/Locale/Maketext/Guts.pm
+++ b/lib/Locale/Maketext/Guts.pm
@@ -140,21 +140,9 @@ sub _compile {
                         # 0-length method name means to just interpolate:
                         push @code, ' (';
                     }
-                    elsif($m =~ /^\w+(?:\:\:\w+)*$/s
-                            and $m !~ m/(?:^|\:)\d/s
-                        # exclude starting a (sub)package or symbol with a digit
+                    elsif($m =~ /^\w+$/s
+                        # exclude anything fancy, especially fully-qualified module names
                     ) {
-                        # Yes, it even supports the demented (and undocumented?)
-                        #  $obj->Foo::bar(...) syntax.
-                        $target->_die_pointing(
-                            $_[1], q{Can't use "SUPER::" in a bracket-group method},
-                            2 + length($c[-1])
-                        )
-                        if $m =~ m/^SUPER::/s;
-                        # Because for SUPER:: to work, we'd have to compile this into
-                        #  the right package, and that seems just not worth the bother,
-                        #  unless someone convinces me otherwise.
-
                         push @code, ' $_[0]->' . $m . '(';
                     }
                     else {
@@ -208,7 +196,9 @@ sub _compile {
             elsif(substr($1,0,1) ne '~') {
                 # it's stuff not containing "~" or "[" or "]"
                 # i.e., a literal blob
-                $c[-1] .= $1;
+                my $text = $1;
+                $text =~ s/\\/\\\\/g;
+                $c[-1] .= $text;
 
             }
             elsif($1 eq '~~') { # "~~"
@@ -246,7 +236,9 @@ sub _compile {
             else {
                 # It's a "~X" where X is not a special character.
                 # Consider it a literal ~ and X.
-                $c[-1] .= $1;
+                my $text = $1;
+                $text =~ s/\\/\\\\/g;
+                $c[-1] .= $text;
             }
         }
     }
diff --git a/patchlevel.h b/patchlevel.h
index 1842b95..fbecc7c 100644
--- a/patchlevel.h
+++ b/patchlevel.h
@@ -189,7 +189,8 @@ static const char * const local_patches[] = {
 	,"DEBPKG:fixes/CVE-2012-5195 - avoid calling memset with a negative count"
 	,"DEBPKG:fixes/CVE-2012-5526 - [PATCH 1/4] CR escaping for P3P header"
 	,"DEBPKG:fixes/storable-security-warning - [PATCH] add a note about security concerns in Storable"
-	,"DEBPKG:patchlevel - http://bugs.debian.org/567489 List packaged patches for 5.10.1-17squeeze4 in patchlevel.h"
+	,"DEBPKG:fixes/maketext-code-execution - Fix misparsing of maketext strings."
+	,"DEBPKG:patchlevel - http://bugs.debian.org/567489 List packaged patches for 5.10.1-17squeeze5 in patchlevel.h"
 	,NULL
 };

--- End Message ---
--- Begin Message --- 
Version: 6.0.7

Hi,

The package discussed in each of these bugs was added to stable as part
of today's point release.

Regards,

Adam

--- End Message ---
Reply to: