Arbitrary Code Injection Affecting perl package, versions <5.14.2-16
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN10-PERL-327757
- published 4 Jan 2013
- disclosed 4 Jan 2013
How to fix?
Upgrade Debian:10
perl
to version 5.14.2-16 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream perl
package and not the perl
package as distributed by Debian
.
See How to fix?
for Debian:10
relevant fixed versions and status.
The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.
References
- https://security-tracker.debian.org/tracker/CVE-2012-6329
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224
- http://code.activestate.com/lists/perl5-porters/187746/
- http://code.activestate.com/lists/perl5-porters/187763/
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735
- http://perl5.git.perl.org/perl.git/blob/HEAD:/pod/perl5177delta.pod
- http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8
- http://sourceforge.net/mailarchive/message.php?msg_id=30219695
- https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0032
- http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
- http://openwall.com/lists/oss-security/2012/12/11/4
- https://bugzilla.redhat.com/show_bug.cgi?id=884354
- http://rhn.redhat.com/errata/RHSA-2013-0685.html
- http://www.securityfocus.com/bid/56950
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2012-6329
- http://www.ubuntu.com/usn/USN-2099-1
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:113
- https://www.exploit-db.com/exploits/23580