Bug 1877409 (CVE-2020-14393) - CVE-2020-14393 perl-dbi: Buffer overflow on an overlong DBD class name
Summary: CVE-2020-14393 perl-dbi: Buffer overflow on an overlong DBD class name
Keywords:
Status: NEW
Alias: CVE-2020-14393
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1877410 1877956 1877957 1877958 1877959
Blocks: 1857388
TreeView+ depends on / blocked
 
Reported: 2020-09-09 14:59 UTC by Pedro Sampaio
Modified: 2021-02-22 17:05 UTC (History)
12 users (show)

Fixed In Version: perl-DBI 1.643
Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow was found in perl-DBI before version 1.643 in DBI.xs. This flaw allows a local attacker who can supply a string longer than 300 characters to cause an out-of-bounds write. The highest threat from this vulnerability is to integrity and system availability.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2020-09-09 14:59:43 UTC
A flaw was found in perl-dbi before version 1.643. A buffer overflow on via an overlong DBD class name in dbih_setup_handle function may lead to data be written past the intended limit.

Upstream patch:

https://github.com/perl5-dbi/dbi/commit/36f2a2c5fea36d7d47d6871e420286643460e71b

Comment 1 Pedro Sampaio 2020-09-09 15:00:15 UTC
Created perl-DBI tracking bugs for this issue:

Affects: fedora-all [bug 1877410]

Comment 4 Todd Cullum 2020-09-10 21:12:11 UTC
External References:

Advisory: https://metacpan.org/pod/distribution/DBI/Changes#Changes-in-DBI-1.643-...

Comment 5 Todd Cullum 2020-09-28 15:51:55 UTC
Marked the CVSS score as 4.4 for products as there would only be a temporary risk to availability and low risk to data integrity due to binary protections shipped with the products.


Note You need to log in before you can comment on or make changes to this bug.