National Cyber Awareness System

Vulnerability Summary for CVE-2012-6329

Overview

The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: CONFIRM

Name: http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8

Type: Patch Information

Hyperlink:http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8

External Source: MISC

Name: https://bugzilla.redhat.com/show_bug.cgi?id=884354

Hyperlink:https://bugzilla.redhat.com/show_bug.cgi?id=884354

External Source: CONFIRM

Name: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329

Hyperlink:http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329

External Source: MLIST

Name: [foswiki-announce] 20121212 Security Alert CVE-2012-6329: Foswiki MAKETEXT Variable Allows Arbitrary Shell Command Execution

Hyperlink:http://sourceforge.net/mailarchive/message.php?msg_id=30219695

External Source: REDHAT

Name: RHSA-2013:0685

Hyperlink:http://rhn.redhat.com/errata/RHSA-2013-0685.html

External Source: CONFIRM

Name: http://perl5.git.perl.org/perl.git/blob/HEAD:/pod/perl5177delta.pod

Hyperlink:http://perl5.git.perl.org/perl.git/blob/HEAD:/pod/perl5177delta.pod

External Source: MLIST

Name: [oss-security] 20121211 Re: CVE request: perl-modules

Hyperlink:http://openwall.com/lists/oss-security/2012/12/11/4

External Source: MLIST

Name: [perl5-porters] 20121205 Re: security notice: Locale::Maketext

Hyperlink:http://code.activestate.com/lists/perl5-porters/187763/

External Source: MLIST

Name: [perl5-porters] 20121205 security notice: Locale::Maketext

Hyperlink:http://code.activestate.com/lists/perl5-porters/187746/

External Source: CONFIRM

Name: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224

Hyperlink:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224