Item12420: Debian patches Locale::Maketext without incrementing the $VERSION

Our code tests for Locale::Maketext::VERSION = 1.23 to determine if we need to do extra escaping to prevent the vulnerability.

Debian (and possibly other packagers) have applied the security patch to Locale::Maketext without setting the version to 1.23, so we can't use that to determine if we need to protect MAKETEXT strings with extra escaping.

There appears to be no security vulnerability, but we end up with doubled backslashes when both Locale::Maketext and Foswiki::Macros::MAKETEXT apply the escaping.

Possible solution:

• Add a configure parameter LocaleMaketextPatched default false.
• Test if Locale::Maketext is vulnerable by passing in a simple "exploit" "This \'.`echo A`.\' "
  • If "A" is returned without the echo, Locale::Maketext is vulnerable
  • If it is returned unmodified, Locale::Maketext has been patched

See IRC Discussion: http://irclogs.foswiki.org/bin/irclogger_log/foswiki?date=2013-03-11,Mon&sel=2#l-2

-- GeorgeClark - 11 Mar 2013

I've suggested that Debian simply ships 1.23 proper. I've reviewed the differences between 1.19 -> 1.23 and the only real code change, apart from doc and housekeeping stuff, is in fact the CVE fix which they've applied. It makes no sense to call this 1.19 - it is in fact 1.23 with a wrong version number and stale doc.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224#55

-- PaulHarvey - 11 Mar 2013

In addition to Pauls findings regarding Locale::Maketext it would also be fine if the Debian package could ship a version of CGI.pm that is known to work (according to configure). Yesterday I got configure warnings/errors on a brand new debian setup with a totally fresh apt-get installation of foswiki and had to install CGI and Locale::Maketext manually from CPAN to get rid of the warnings. No great deal, but annoying anyway. Otherwise I'm totally happy with the Debian package, because it's so easy to get it up and running and keeping it up-to-date. Thanks Sven!

-- FranzJosefGigler - 11 Mar 2013

That's a bit unrelated to this task. But the CGI version warning could probably be softened a bit. It's generally safe to ignore unless you are using I18N and Locales on your site.

-- GeorgeClark - 11 Mar 2013

libcgi-pm-perl will separately upgrade CGI.pm for you without resorting to cpan. Perhaps Sven can make a dependency on it. And you should look at dh-make-perl, I love cpan2deb

Deafening silence on the debian bug task...

-- PaulHarvey - 13 Mar 2013

Thanks for the hint Paul, will try it the next time I set up a new foswiki instance.

-- FranzJosefGigler - 13 Mar 2013

From the last message on the Debian bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224#115 it seems that things are fixed for Debian Wheezy (current stable release) and onwards, but remain inconsistent for Squeeze (current oldstable). Other distributions (Fedora, RHEL) contain the fix without the version bump, so we're back to the two variants mentioned above if we want to maintain consistency everywhere.

-- FlorianSchlichting - 14 Oct 2013

As decided in today's release meeting, we are adding a note to the checker message and leave it at that. People who run into issues with double escaping or who want to get rid of the message can either talk to their Perl distributors (Debian, Red Hat, ...) or install Locale::Maketext from CPAN.

-- JanKrueger - 14 Oct 2013