GLSA 201410-02: Perl, Perl Locale-Maketext module: Multiple vulnerabilities

Severity:normal
Title:Perl, Perl Locale-Maketext module: Multiple vulnerabilities
Date:10/12/2014
Bugs: #446376
ID:201410-02

Synopsis

Multiple vulnerabilities have been found in the Perl Locale-Maketext module, allowing remote attackers to inject and execute arbitrary Perl code.

Background

Locale-Maketext - Perl framework for localization

Affected packages

Package Vulnerable Unaffected Architecture(s)
perl-core/Locale-Maketext < 1.230.0 >= 1.230.0 All supported architectures
dev-lang/perl < 5.17.7 >= 5.17.7 All supported architectures

Description

Two vulnerabilities have been reported in the Locale-Maketext module for Perl, which can be exploited by malicious users to compromise an application using the module.

The vulnerabilities are caused due to the “_compile()” function not properly sanitising input, which can be exploited to inject and execute arbitrary Perl code.

Impact

A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All users of the Locale-Maketext module should upgrade to the latest version:

      # emerge --sync
      # emerge --ask --oneshot --verbose
      ">=perl-core/Locale-Maketext-1.230.0"
    

References

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201410-02.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

License

Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

Thank you!