http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329

CONFIRM:http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8

From 1735f6f53ca19f99c6e9e39496c486af323ba6a8 Mon Sep 17 00:00:00 2001

From: Brian Carlson <[email protected]>

Date: Wed, 28 Nov 2012 08:54:33 -0500

Subject: [PATCH] Fix misparsing of maketext strings.

Case 61251: This commit fixes a misparse of maketext strings that could

lead to arbitrary code execution.  Basically, maketext was compiling

bracket notation into functions, but neglected to escape backslashes

inside the content or die on fully-qualified method names when

generating the code.  This change escapes all such backslashes and dies

when a method name with a colon or apostrophe is specified.

--- perl-5.12.5/AUTHORS-orig	2013-03-05 22:57:22.320359148 -0600

+++ perl-5.12.5/AUTHORS	2013-03-05 22:58:13.374206098 -0600

@@ -139,6 +139,7 @@ Brent B. Powers			<[email protected]>

 Brent Dax			<[email protected]>

 Brooks D Boyd

 Brian Callaghan			<[email protected]>

+Brian Carlson			<[email protected]>

 Brian Clarke			<[email protected]>

 brian d foy			<[email protected]>

 Brian Grossman

--- perl-5.12.5/dist/Locale-Maketext/lib/Locale/Maketext/Guts.pm-orig	2013-03-05 23:00:24.953530801 -0600

+++ perl-5.12.5/dist/Locale-Maketext/lib/Locale/Maketext/Guts.pm	2013-03-05 23:01:05.801008668 -0600

@@ -140,21 +140,9 @@ sub _compile {

                         # 0-length method name means to just interpolate:

                         push @code, ' (';

                     }

-                    elsif($m =~ /^\w+(?:\:\:\w+)*$/s

-                            and $m !~ m/(?:^|\:)\d/s

-                        # exclude starting a (sub)package or symbol with a digit

+                    elsif($m =~ /^\w+$/s

+                        # exclude anything fancy, especially fully-qualified module names

                     ) {

-                        # Yes, it even supports the demented (and undocumented?)

-                        #  $obj->Foo::bar(...) syntax.

-                        $target->_die_pointing(

-                            $_[1], q{Can't use "SUPER::" in a bracket-group method},

-                            2 + length($c[-1])

-                        )

-                        if $m =~ m/^SUPER::/s;

-                        # Because for SUPER:: to work, we'd have to compile this into

-                        #  the right package, and that seems just not worth the bother,

-                        #  unless someone convinces me otherwise.

-

                         push @code, ' $_[0]->' . $m . '(';

                     }

                     else {

@@ -208,7 +196,9 @@ sub _compile {

             elsif(substr($1,0,1) ne '~') {

                 # it's stuff not containing "~" or "[" or "]"

                 # i.e., a literal blob

-                $c[-1] .= $1;

+                my $text = $1;

+                $text =~ s/\\/\\\\/g;

+                $c[-1] .= $text;

             }

             elsif($1 eq '~~') { # "~~"

@@ -246,7 +236,9 @@ sub _compile {

             else {

                 # It's a "~X" where X is not a special character.

                 # Consider it a literal ~ and X.

-                $c[-1] .= $1;

+                my $text = $1;

+                $text =~ s/\\/\\\\/g;

+                $c[-1] .= $text;

             }

         }

     }