Item12420: Debian patches Locale::Maketext without incrementing the $VERSION
Priority: Urgent
Current State: Closed
Released In: 1.1.9
Target Release: patch
Applies To: Engine
Component: MAKETEXT
Branches: Release01x01 trunk
Our code tests for
Locale::Maketext::VERSION = 1.23
to determine if we need to do extra escaping to prevent the vulnerability.
Debian (and possibly other packagers) have applied the security patch to
Locale::Maketext
without setting the version to 1.23, so we can't use that to determine if we need to protect
MAKETEXT strings with extra escaping.
There appears to be no security vulnerability, but we end up with doubled backslashes when both Locale::Maketext and Foswiki::Macros::MAKETEXT apply the escaping.
Possible solution:
- Add a configure parameter
LocaleMaketextPatched
default false.
- Test if Locale::Maketext is vulnerable by passing in a simple "exploit"
"This \'.`echo A`.\' "
- If "A" is returned without the echo, Locale::Maketext is vulnerable
- If it is returned unmodified, Locale::Maketext has been patched
See IRC Discussion:
http://irclogs.foswiki.org/bin/irclogger_log/foswiki?date=2013-03-11,Mon&sel=2#l-2
--
GeorgeClark - 11 Mar 2013
I've suggested that Debian simply ships 1.23 proper. I've reviewed the differences between 1.19 -> 1.23 and the only real code change, apart from doc and housekeeping stuff, is in fact the CVE fix which they've applied. It makes no sense to call this 1.19 - it is in fact 1.23 with a wrong version number and stale doc.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224#55
--
PaulHarvey - 11 Mar 2013
In addition to Pauls findings regarding Locale::Maketext it would also be fine if the Debian package could ship a version of CGI.pm that is known to work (according to configure). Yesterday I got configure warnings/errors on a brand new debian setup with a totally fresh apt-get installation of foswiki and had to install CGI and Locale::Maketext manually from CPAN to get rid of the warnings. No great deal, but annoying anyway. Otherwise I'm totally happy with the Debian package, because it's so easy to get it up and running and keeping it up-to-date. Thanks Sven!
--
FranzJosefGigler - 11 Mar 2013
That's a bit unrelated to this task. But the CGI version warning could probably be softened a bit. It's generally safe to ignore unless you are using
I18N and Locales on your site.
--
GeorgeClark - 11 Mar 2013
libcgi-pm-perl
will separately upgrade CGI.pm for you without resorting to cpan. Perhaps Sven can make a dependency on it. And you should look at dh-make-perl, I love cpan2deb
Deafening silence on the debian bug task...
--
PaulHarvey - 13 Mar 2013
Thanks for the hint Paul, will try it the next time I set up a new foswiki instance.
--
FranzJosefGigler - 13 Mar 2013
From the last message on the Debian bug
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224#115 it seems that things are fixed for Debian Wheezy (current stable release) and onwards, but remain inconsistent for Squeeze (current oldstable). Other distributions (Fedora, RHEL) contain the fix without the version bump, so we're back to the two variants mentioned above if we want to maintain consistency everywhere.
--
FlorianSchlichting - 14 Oct 2013
As decided in today's release meeting, we are adding a note to the checker message and leave it at that. People who run into issues with double escaping or who want to get rid of the message can either talk to their Perl distributors (Debian, Red Hat, ...) or install
Locale::Maketext
from CPAN.
--
JanKrueger - 14 Oct 2013