Bug 497367 (CVE-2009-0663)
| Summary: | CVE-2009-0663 perl-DBD-Pg: pg_getline buffer overflow | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | jorton, kasal, kreilly, ldimaggi, mjc, mmaslano, psplicha, security-response-team, vdanen | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2009-05-26 17:23:02 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 497999, 498000, 498001, 833953 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
This issue does not affect perl-DBD-Pg versions shipped in Red Hat Enterprise Linux 2.1, 3, and 4. Version 1.49 shipped in Red Hat Enterprise Linux 5, Red Hat Application Stack v1 and v2 is affected. malloc checks further mitigate impact of this flaw, as detected corruption of the malloc structures causes termination of perl interpreter shortly after the overflow happened. Created attachment 341145 [details] Patched Debian plans to use Addresses both this issue and bug #497503. Public now via Debian DSA: http://www.debian.org/security/2009/dsa-1780 Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0663 to the following vulnerability: Name: CVE-2009-0663 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0663 Assigned: 20090222 Reference: MISC: https://launchpad.net/bugs/cve/2009-0663 Reference: CONFIRM: http://security.debian.org/pool/updates/main/libd/libdbd-pg-perl/libdbd-pg-perl_1.49-2+etch1.diff.gz Reference: DEBIAN:DSA-1780 Reference: URL: http://www.debian.org/security/2009/dsa-1780 Heap-based buffer overflow in the DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module 1.49 for Perl might allow context-dependent attackers to execute arbitrary code via unspecified input to an application that uses the getline and pg_getline functions to read database rows. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:0479 https://rhn.redhat.com/errata/RHSA-2009-0479.html This issue has been addressed in following products: Red Hat Web Application Stack for RHEL 5 Via RHSA-2009:1067 https://rhn.redhat.com/errata/RHSA-2009-1067.html Red Hat Application Stack v1 for Enterprise Linux AS (version 4) is now in the maintenance phase of its life cycle: http://www.redhat.com/security/updates/rhappstack/ According to the published Errata Support Policy, only security issues with critical security impact are fixed in Red Hat Application Stack during the maintenance phase. This issue was rated as having moderate security impact and therefore will not be fixed in Red Hat Application Stack v1. |
A heap-based buffer overflow flaw was found in perl-DBD-Pg's pg_getline. When pg_getline is used, pg_db_getline (in dbdimp.c) is called that gets buffer of size length (specified by pg_getline called) passed to it. Data read from the DB server is stored in temporary buffer pointed to by tempbuf and later copied to the buffer passed to pg_db_getline as: strncpy(buffer, tempbuf, strlen(tempbuf)+1); buffer[strlen(tempbuf)] = '\0'; This incorrectly uses source length as copy size limit, not the destination length, allowing overflow of input buffer. This problem should be fixed in DBD-Pg versions 2.x, where pg_db_getline completely ignores length argument of pg_getline, allocating buffer of the required size.