Bug 1877437 - perl-dbi: Externally controlled format string in Perl_croak function
Summary: perl-dbi: Externally controlled format string in Perl_croak function
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1857388
TreeView+ depends on / blocked
 
Reported: 2020-09-09 15:51 UTC by Pedro Sampaio
Modified: 2021-02-16 19:17 UTC (History)
12 users (show)

Fixed In Version: perl-DBI 1.637
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-10 01:17:48 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2020-09-09 15:51:23 UTC 
A flaw was found in perl-dbi before version 1.637. Arbitrary string supplied by caller can be passed into Perl_croak function which expects
printf-style arguments. Malicious remote systems via specially crafted error messages can cause problems like buffer overflow or overwriting other part of process memory.

References:

https://www.mail-archive.com/dbi-users@perl.org/msg35486.html
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=131878
https://github.com/perl/perl5/issues/16108
Comment 1 Todd Cullum 2020-09-09 20:54:56 UTC 
Upstream commit: https://github.com/perl5-dbi/dbi/pull/44/commits/c6d410d1bafa6876e6a346a2727217fa2c3feb30
Comment 2 Todd Cullum 2020-09-09 21:03:19 UTC 
Statement:

Versions of perl-DBI shipped with Red Hat Enterprise Linux 7 and 8 are not affected by this flaw because the vulnerable code was not yet committed in v1.627 shipped with Red Hat Enterprise Linux 7, and already patched in version 1.642 shipped with Red Hat Enterprise Linux 8. This also applies to perl-DBI as part of Red Hat Software Collections 3. Thus, none of these products are affected.
Note You need to log in before you can comment on or make changes to this bug.