Bug 801733 (CVE-2012-1151)

Summary: CVE-2012-1151 perl-DBD-Pg: Format string flaws by turning db notices into Perl warnings and by preparing DBD statement
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: devrim, ldimaggi, mmaslano, perl-maint-list, ppisar, psabata, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120227,reported=20120309,source=debian,cvss2=5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P,rhel-5/perl-DBD-Pg=affected,rhel-6/perl-DBD-Pg=affected,fedora-all/perl-DBD-Pg=affected,Stacks-v2/perl-DBD-Pg=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-25 13:18:44 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 841129, 841130, 841131, 841132, 841133    
Bug Blocks: 801749    

Description Jan Lieskovsky 2012-03-09 05:00:32 EST
Two format string flaws were found in the way perl-DBD-Pg, a Perl language PostgreSQL DBI implementation, performed:
1) turning of database notices into appropriate Perl language warning messages,
2) preparation of particular DBD statement.

A rogue server could provide a specially-crafted database warning or specially-crafted DBD statement, which once processed by the perl-DBD-Pg interface would lead to perl-DBD-Pg based process crash.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661536

CPAN ticket:
[2] https://rt.cpan.org/Public/Bug/Display.html?id=75642

Patch proposed by Niko Tyni:
[3] https://rt.cpan.org/Ticket/Attachment/1047954/547725/0001-Explicitly-warn-and-croak-with-controlled-format-str.patch
Comment 1 Jan Lieskovsky 2012-03-09 05:26:24 EST
This issue affects the versions of the perl-DBD-Pg package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the perl-DBD-Pg package, as shipped with Fedora release of 15 and 16.

--

This issue affects the version of the perl-DBD-Pg package, as shipped with Red Hat Application Stack-v2.
Comment 2 Jan Lieskovsky 2012-03-09 06:11:50 EST
CVE request:
[4] http://www.openwall.com/lists/oss-security/2012/03/09/6
Comment 3 Kurt Seifried 2012-03-10 01:11:24 EST
Added CVE as per http://www.openwall.com/lists/oss-security/2012/03/10/4
Comment 4 Huzaifa S. Sidhpurwala 2012-07-02 04:51:46 EDT
warn() function is not protected by fortify source format string protections, 
(read bug 836931), hence assuming that format string exploitation can cause ACE
Comment 8 Huzaifa S. Sidhpurwala 2012-07-18 04:47:19 EDT
Created perl-DBD-Pg tracking bugs for this issue

Affects: fedora-all [bug 841133]
Comment 10 errata-xmlrpc 2012-07-25 12:58:34 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2012:1116 https://rhn.redhat.com/errata/RHSA-2012-1116.html