Bug 1380375 – CVE-2016-1246 perl-DBD-MySQL: Buffer overflow triggered by user supplied data

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1380375 - (CVE-2016-1246) CVE-2016-1246 perl-DBD-MySQL: Buffer overflow triggered by user supplied data

Summary:	CVE-2016-1246 perl-DBD-MySQL: Buffer overflow triggered by user supplied data

Status:	CLOSED WONTFIX

Aliases:	CVE-2016-1246

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20161003,repor...
Keywords:	Security

Depends On:	1381280 1382016
Blocks:	1380376
	Show dependency tree / graph

Reported:	2016-09-29 08:20 EDT by Adam Mariš
Modified:	2016-10-14 00:59 EDT (History)
CC List:	8 users (show)

See Also:
Fixed In Version:	perl-DBD-MySQL 4.0.37
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-10-13 06:01:58 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Adam Mariš 2016-09-29 08:20:42 EDT

A buffer overflow vulnerability in prepared statements that could be possibly triggered by user supplied data was found in perl DBI driver for MySQL. Vulnerability is present in all releases at least back to versions 3.0 of the driver released in 2005.

Comment 1 Adam Mariš 2016-10-03 10:46:32 EDT

Upstream patch:

https://github.com/perl5-dbi/DBD-mysql/commit/7c164a0c86cec6ee95df1d141e67b0e85dfdefd2

Comment 2 Adam Mariš 2016-10-03 10:48:46 EDT

Created perl-DBD-MySQL tracking bugs for this issue:

Affects: fedora-all [bug 1381280]

Comment 8 Dhiru Kholia 2016-10-14 00:54:08 EDT

On RHEL / Fedora, the FORTIFY_SOURCE compilation option catches this stack-based buffer overflow, and it turns a flaw which could result in arbitrary code execution into a mere crash. Our CVSS score reflects this fact.

Note You need to log in before you can comment on or make changes to this bug.