A flaw was found in perl-dbi before version 1.637. Arbitrary string supplied by caller can be passed into Perl_croak function which expects printf-style arguments. Malicious remote systems via specially crafted error messages can cause problems like buffer overflow or overwriting other part of process memory. References: https://www.mail-archive.com/dbi-users@perl.org/msg35486.html https://rt-archive.perl.org/perl5/Ticket/Display.html?id=131878 https://github.com/perl/perl5/issues/16108
Upstream commit: https://github.com/perl5-dbi/dbi/pull/44/commits/c6d410d1bafa6876e6a346a2727217fa2c3feb30
Statement: Versions of perl-DBI shipped with Red Hat Enterprise Linux 7 and 8 are not affected by this flaw because the vulnerable code was not yet committed in v1.627 shipped with Red Hat Enterprise Linux 7, and already patched in version 1.642 shipped with Red Hat Enterprise Linux 8. This also applies to perl-DBI as part of Red Hat Software Collections 3. Thus, none of these products are affected.