https://bugzilla.redhat.com/show_bug.cgi?id=1877421
Bug ID: 1877421 Summary: perl-dbi: Old API functions vulnerable to overflow Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: caillon+fedoraproject@gmail.com, hhorak@redhat.com, john.j5live@gmail.com, jorton@redhat.com, jplesnik@redhat.com, kasal@ucw.cz, perl-devel@lists.fedoraproject.org, perl-maint-list@redhat.com, ppisar@redhat.com, rhughes@redhat.com, rstrode@redhat.com, sandmann@redhat.com Target Milestone: --- Classification: Other
A flaw was found in perl-dbi before version 1.643. Old API functions might be vulnerable to overflowing potentially causing memory corruption.
References:
https://github.com/perl5-dbi/dbi/commit/00e2ec459b55b72ee5703c1bd8e6cf57f198...
https://bugzilla.redhat.com/show_bug.cgi?id=1877421
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1877423
--- Comment #1 from Pedro Sampaio psampaio@redhat.com --- Created perl-DBI tracking bugs for this issue:
Affects: fedora-all [bug 1877423]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1877423 [Bug 1877423] perl-DBI: Old API functions vulnerable to overflow [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1877421
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1857388
https://bugzilla.redhat.com/show_bug.cgi?id=1877421
Todd Cullum tcullum@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|medium |low Severity|medium |low
--- Comment #2 from Todd Cullum tcullum@redhat.com --- I marked this as a Low since it could be considered part of the software lifecycle or hardening, and the "fix" merely labels some functions as deprecated with comments. However, it may be worthwhile to note.
https://bugzilla.redhat.com/show_bug.cgi?id=1877421
Todd Cullum tcullum@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Comment|2 |updated
--- Comment #2 has been edited ---
I marked this as a Low since it could be considered part of the software lifecycle or hardening, and the "fix" merely labels some functions as deprecated with comments. However, it may be worthwhile to note.
https://bugzilla.redhat.com/show_bug.cgi?id=1877421
Todd Cullum tcullum@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1877540, 1877541
https://bugzilla.redhat.com/show_bug.cgi?id=1877421
--- Comment #4 from Petr Pisar ppisar@redhat.com --- The only place where the deprecation is mentioned is a comment in a header file.
-int dbd_db_login6 _((SV *dbh, imp_dbh_t *imp_dbh, char *dbname, char *uid, char *pwd, SV*attribs)); +int dbd_db_login6 _((SV *dbh, imp_dbh_t *imp_dbh, char *dbname, char *uid, char *pwd, SV*attribs)); /* deprecated */
It's not either a function attribute (so that a compiler could emit a warning), nor noticed in a DBI::DBD documentation. E.g. The closest text regarding dbd_db_login6() reads:
Since DBI post v1.607, if a "dbd_db_login6_sv()" macro is defined (for a function like dbd_db_login6 but with scalar pointers for the dbname, username and password), it will be used instead. This will allow your login6 function to see if there are any Unicode characters in the dbname.
Also I'd like to note that those functions are not provided by DBI. DBI only provides their declarations in dbd_xsh.h to help the DBD drivers to implement them. So technically there is no vulnerability in DBI. It's in the driver that decides to implement the old interface that does not allow the driver to process Unicode characters properly. DBI common layer always prefer the safe functions:
void _login(dbh, dbname, username, password, attribs=Nullsv) SV * dbh SV * dbname SV * username SV * password SV * attribs CODE: { D_imp_dbh(dbh); #if !defined(dbd_db_login6_sv) STRLEN lna; char *u = (SvOK(username)) ? SvPV(username,lna) : (char*)""; char *p = (SvOK(password)) ? SvPV(password,lna) : (char*)""; #endif #ifdef dbd_db_login6_sv ST(0) = dbd_db_login6_sv(dbh, imp_dbh, dbname, username, password, attribs) ? &PL_sv_yes : &PL_sv_no; #elif defined(dbd_db_login6) ST(0) = dbd_db_login6(dbh, imp_dbh, SvPV_nolen(dbname), u, p, attribs) ? &PL_sv_yes : &PL_sv_no; #else PERL_UNUSED_ARG(attribs); ST(0) = dbd_db_login( dbh, imp_dbh, SvPV_nolen(dbname), u, p) ? &PL_sv_yes : &PL_sv_no; #endif }
https://bugzilla.redhat.com/show_bug.cgi?id=1877421 Bug 1877421 depends on bug 1877423, which changed state.
Bug 1877423 Summary: perl-DBI: Old API functions vulnerable to overflow [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1877423
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1877421
Todd Cullum tcullum@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |WONTFIX Status|NEW |CLOSED Last Closed| |2021-11-02 17:27:20
perl-devel@lists.fedoraproject.org