Bug#695224: Locale::Maketext security fix: real world breakage?
Hi Dominic, On 04/02/2013 21:28, Dominic Hargreaves wrote: I had no replies about this, so I think it's time to bite the bullet and decide whether we should target this fix at - stable-security - stable - neither of the above. I think I'm leaning towards stable on the basis that that's a slightly safer place to land a possibly-problematic fix, as well as the fact I don't know of any real world exploits for this, but I an open to (and welcome) all comments. I seem to remember reading that a point release of squeeze is due quite soon, but I couldn't find an announcment of such. from http://openwall.com/lists/oss-security/2012/12/11/4: I think the vulnerability is effective only when attacker has first argument of maketext() under control. However that means the attacker can run any code even without this `vulnerability'. It's like saying glibc's gettext() is vulnerable. But that's not true. Sure gettext(%s, user_input) is not safe, but this is flaw in the caller, not in the gettext. The same applies to Locale::Maketext::maketext(). Petr Pisar 2012-12-06 11:18:46 EST This is CVE-2012-6329 and I think this doesn't warrant a DSA, please fix it in stable. Cheers, Giuseppe. signature.asc Description: OpenPGP digital signature
Bug#695224: Locale::Maketext security fix: real world breakage?
On Fri, Jan 18, 2013 at 03:06:38PM +, Dominic Hargreaves wrote: On Wed, Dec 05, 2012 at 04:05:01PM -0500, Ricardo Signes wrote: * Dominic Hargreaves d...@earth.li [2012-12-05T13:51:19] I wondered (and the question has arised within the Debian project) whether anyone might be relying on the previous behaviour? Have you been able to do any assessment of this? It's difficult to say, unfortunately, because (I suppose) most projects that would use Locale::Maketext would not be CPAN projects, and so finding them is not trivial. I did do some grepping of the CPAN and found zero cases. It should be quite easy to add this behavior back as optional, if we find we've broken anything. Hi, A fix for that has been in Debian unstable/testing for the past month and we've had no reports of problems. That doesn't mean everything, of course, but it is probably time to decide whether to push this out to Debian stable. As such I'd be very interested in hearing from anyone who has real world examples of this breaking things. I had no replies about this, so I think it's time to bite the bullet and decide whether we should target this fix at - stable-security - stable - neither of the above. I think I'm leaning towards stable on the basis that that's a slightly safer place to land a possibly-problematic fix, as well as the fact I don't know of any real world exploits for this, but I an open to (and welcome) all comments. I seem to remember reading that a point release of squeeze is due quite soon, but I couldn't find an announcment of such. Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#695224: Locale::Maketext security fix: real world breakage?
On Wed, Dec 05, 2012 at 04:05:01PM -0500, Ricardo Signes wrote: * Dominic Hargreaves d...@earth.li [2012-12-05T13:51:19] I wondered (and the question has arised within the Debian project) whether anyone might be relying on the previous behaviour? Have you been able to do any assessment of this? It's difficult to say, unfortunately, because (I suppose) most projects that would use Locale::Maketext would not be CPAN projects, and so finding them is not trivial. I did do some grepping of the CPAN and found zero cases. It should be quite easy to add this behavior back as optional, if we find we've broken anything. Hi, A fix for that has been in Debian unstable/testing for the past month and we've had no reports of problems. That doesn't mean everything, of course, but it is probably time to decide whether to push this out to Debian stable. As such I'd be very interested in hearing from anyone who has real world examples of this breaking things. Cheers, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
