Bug 1877421 - perl-dbi: Old API functions vulnerable to overflow
Summary: perl-dbi: Old API functions vulnerable to overflow
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1877423 1877540 1877541
Blocks: 1857388
TreeView+ depends on / blocked
 
Reported: 2020-09-09 15:18 UTC by Pedro Sampaio
Modified: 2021-11-02 17:27 UTC (History)
12 users (show)

Fixed In Version: perl-DBI 1.643
Clone Of:
Environment:
Last Closed: 2021-11-02 17:27:20 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2020-09-09 15:18:53 UTC 
A flaw was found in perl-dbi before version 1.643. Old API functions might be vulnerable to overflowing potentially causing memory corruption.

References:

https://github.com/perl5-dbi/dbi/commit/00e2ec459b55b72ee5703c1bd8e6cf57f1986c05
Comment 1 Pedro Sampaio 2020-09-09 15:19:25 UTC 
Created perl-DBI tracking bugs for this issue:

Affects: fedora-all [bug 1877423]
Comment 2 Todd Cullum 2020-09-09 19:12:44 UTC 
I marked this as a Low since it could be considered part of the software lifecycle or hardening, and the "fix" merely labels some functions as deprecated with comments. However, it may be worthwhile to note in the code.
Comment 4 Petr Pisar 2020-09-10 11:49:40 UTC 
The only place where the deprecation is mentioned is a comment in a header file.

-int      dbd_db_login6 _((SV *dbh, imp_dbh_t *imp_dbh, char *dbname, char *uid, char *pwd, SV*attribs));
+int      dbd_db_login6 _((SV *dbh, imp_dbh_t *imp_dbh, char *dbname, char *uid, char *pwd, SV*attribs)); /* deprecated */

It's not either a function attribute (so that a compiler could emit a warning), nor noticed in a DBI::DBD documentation. E.g. The closest text regarding dbd_db_login6() reads:

    Since DBI post v1.607, if a "dbd_db_login6_sv()" macro is defined (for a
    function like dbd_db_login6 but with scalar pointers for the dbname,
    username and password), it will be used instead. This will allow your
    login6 function to see if there are any Unicode characters in the
    dbname.

Also I'd like to note that those functions are not provided by DBI. DBI only provides their declarations in dbd_xsh.h to help the DBD drivers to implement them. So technically there is no vulnerability in DBI. It's in the driver that decides to implement the old interface that does not allow the driver to process Unicode characters properly. DBI common layer always prefer the safe functions:

void
_login(dbh, dbname, username, password, attribs=Nullsv)
    SV *        dbh
    SV *        dbname
    SV *        username
    SV *        password
    SV *        attribs
    CODE:
    {
    D_imp_dbh(dbh);
#if !defined(dbd_db_login6_sv)
    STRLEN lna;
    char *u = (SvOK(username)) ? SvPV(username,lna) : (char*)"";
    char *p = (SvOK(password)) ? SvPV(password,lna) : (char*)"";
#endif
#ifdef dbd_db_login6_sv
    ST(0) = dbd_db_login6_sv(dbh, imp_dbh, dbname, username, password, attribs) ? &PL_sv_yes : &PL_sv_no;
#elif defined(dbd_db_login6)
    ST(0) = dbd_db_login6(dbh, imp_dbh, SvPV_nolen(dbname), u, p, attribs) ? &PL_sv_yes : &PL_sv_no;
#else
    PERL_UNUSED_ARG(attribs);
    ST(0) = dbd_db_login( dbh, imp_dbh, SvPV_nolen(dbname), u, p) ? &PL_sv_yes : &PL_sv_no;
#endif
    }
Note You need to log in before you can comment on or make changes to this bug.