Bug 1877437

Summary: perl-dbi: Externally controlled format string in Perl_croak function
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: caillon+fedoraproject, hhorak, john.j5live, jorton, jplesnik, kasal, perl-devel, perl-maint-list, ppisar, rhughes, rstrode, sandmann
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: perl-DBI 1.637 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-10 01:17:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1857388    

Description Pedro Sampaio 2020-09-09 15:51:23 UTC
A flaw was found in perl-dbi before version 1.637. Arbitrary string supplied by caller can be passed into Perl_croak function which expects
printf-style arguments. Malicious remote systems via specially crafted error messages can cause problems like buffer overflow or overwriting other part of process memory.

References:

https://www.mail-archive.com/dbi-users@perl.org/msg35486.html
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=131878
https://github.com/perl/perl5/issues/16108

Comment 2 Todd Cullum 2020-09-09 21:03:19 UTC
Statement:

Versions of perl-DBI shipped with Red Hat Enterprise Linux 7 and 8 are not affected by this flaw because the vulnerable code was not yet committed in v1.627 shipped with Red Hat Enterprise Linux 7, and already patched in version 1.642 shipped with Red Hat Enterprise Linux 8. This also applies to perl-DBI as part of Red Hat Software Collections 3. Thus, none of these products are affected.