https://bugzilla.redhat.com/show_bug.cgi?id=1877437
Bug ID: 1877437
Summary: perl-dbi: Externally controlled format string in
Perl_croak function
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: caillon+fedoraproject(a)gmail.com, hhorak(a)redhat.com,
john.j5live(a)gmail.com, jorton(a)redhat.com,
jplesnik(a)redhat.com, kasal(a)ucw.cz,
perl-devel(a)lists.fedoraproject.org,
perl-maint-list(a)redhat.com, ppisar(a)redhat.com,
rhughes(a)redhat.com, rstrode(a)redhat.com,
sandmann(a)redhat.com
Target Milestone: ---
Classification: Other
A flaw was found in perl-dbi before version 1.637. Arbitrary string supplied by
caller can be passed into Perl_croak function which expects
printf-style arguments. Malicious remote systems via specially crafted error
messages can cause problems like buffer overflow or overwriting other part of
process memory.
References:
https://www.mail-archive.com/dbi-users@perl.org/msg35486.html
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=131878
https://github.com/perl/perl5/issues/16108
--
You are receiving this mail because:
You are on the CC list for the bug.