Bug#661536: marked as done (libdbd-pg-perl: CVE-2012-1151: Format string vulnerabilities in server error parsing)

Sat, 10 Mar 2012 05:06:24 -0800 

Your message dated Sat, 10 Mar 2012 13:03:29 +0000
with message-id <[email protected]>
and subject line Bug#661536: fixed in libdbd-pg-perl 2.19.0-1
has caused the Debian Bug report #661536,
regarding libdbd-pg-perl: CVE-2012-1151: Format string vulnerabilities in 
server error parsing
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
661536: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661536
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: libdbd-pg-perl
Severity: normal
Version: 2.18.1-1

With hardening flags enabled, this package FTBFS:

dbdimp.c: In function 'pg_warn':
dbdimp.c:331:4: error: format not a string literal and no format arguments 
[-Werror=format-security]
dbdimp.c: In function 'pg_st_prepare':
dbdimp.c:1534:4: error: format not a string literal and no format arguments 
[-Werror=format-security]
cc1: some warnings being treated as errors

(this is the first error of this type seen: it's possible that there
could be others once this is fixed).

A likely fix is to change croak(var) to croak("%s", var)[1], or similar.

Note that I haven't verified whether an externally-controlled string is
used; if so, it would be appropriate to upgrade this bug RC severity
with the security tag[2].

This was found during testing of perl 5.14.2-8 in experimental; however,
since that version was prepared, it has been decided not to export
those build flags in Config_heay.pl. Nevertheless, it is likely that at
some point, either in debhelper 9 or 10, the hardening flags will be
enabled for all perl modules.

Thanks,
Dominic.

[1] <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657853#92>
[2] <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657853#117>

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

--- End Message ---
--- Begin Message --- 
Source: libdbd-pg-perl
Source-Version: 2.19.0-1

We believe that the bug you reported is fixed in the latest version of
libdbd-pg-perl, which is due to be installed in the Debian FTP archive:

libdbd-pg-perl_2.19.0-1.debian.tar.gz
  to main/libd/libdbd-pg-perl/libdbd-pg-perl_2.19.0-1.debian.tar.gz
libdbd-pg-perl_2.19.0-1.dsc
  to main/libd/libdbd-pg-perl/libdbd-pg-perl_2.19.0-1.dsc
libdbd-pg-perl_2.19.0-1_amd64.deb
  to main/libd/libdbd-pg-perl/libdbd-pg-perl_2.19.0-1_amd64.deb
libdbd-pg-perl_2.19.0.orig.tar.gz
  to main/libd/libdbd-pg-perl/libdbd-pg-perl_2.19.0.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libdbd-pg-perl 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 10 Mar 2012 10:16:46 +0100
Source: libdbd-pg-perl
Binary: libdbd-pg-perl
Architecture: source amd64
Version: 2.19.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description: 
 libdbd-pg-perl - Perl DBI driver for the PostgreSQL database server
Closes: 661536
Changes: 
 libdbd-pg-perl (2.19.0-1) unstable; urgency=medium
 .
   * Team upload.
 .
   [ Ansgar Burchardt ]
   * debian/control: Convert Vcs-* fields to Git.
 .
   [ gregor herrmann ]
   * Remove debian/source/local-options; abort-on-upstream-changes and
     unapply-patches are default in dpkg-source since 1.16.1.
 .
   [ Salvatore Bonaccorso ]
   * Imported Upstream version 2.19.0
     + [SECURITY] CVE-2012-1151. Explicitly warn and croak with controlled
       format strings. (Closes: #661536).
   * Update debian/copyright information.
     Update format to copyright-format 1.0 as released together with Debian
     Policy 3.9.3.
     Update copyright years for upstream files.
   * Bump Debhelper compat level to 9.
     Adjust Build-Depends on debhelper to (>= 9).
   * Bump Standards-Version to 3.9.3
Checksums-Sha1: 
 03166670a3f41172768ad537d96e268c468f3cfa 2301 libdbd-pg-perl_2.19.0-1.dsc
 5551ae75f05fcb5011129025f9512e896e8f467e 234913 
libdbd-pg-perl_2.19.0.orig.tar.gz
 7b7bb718a8fb93cb68bc35875f9a09aa41018d96 9962 
libdbd-pg-perl_2.19.0-1.debian.tar.gz
 29f96afed55e6e71a20653e43005856eb63714c3 226618 
libdbd-pg-perl_2.19.0-1_amd64.deb
Checksums-Sha256: 
 f16022179db59e01d000d978faaf24e8221386b331599b1aae1b6e8519a7983b 2301 
libdbd-pg-perl_2.19.0-1.dsc
 9323c258932aee53cb009cad65201e69545306ce7cd0dc10d50974536519da39 234913 
libdbd-pg-perl_2.19.0.orig.tar.gz
 678155bc4aa6e4d25c15623383c03251b562b97611ab74a24eb74dbcde0a709e 9962 
libdbd-pg-perl_2.19.0-1.debian.tar.gz
 cf55a6a8c2925e9b8bba566c595199252b5db36696fd6753cca6d02d50aac24d 226618 
libdbd-pg-perl_2.19.0-1_amd64.deb
Files: 
 129964ca0c757622a6de3dba1c066bc7 2301 perl optional libdbd-pg-perl_2.19.0-1.dsc
 835527686a1f91c50d1834e914d17094 234913 perl optional 
libdbd-pg-perl_2.19.0.orig.tar.gz
 f2fa83df929e5a1350f3e6f97d7932eb 9962 perl optional 
libdbd-pg-perl_2.19.0-1.debian.tar.gz
 7a73d5e0d284a651f42c0524ce09bab3 226618 perl optional 
libdbd-pg-perl_2.19.0-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPW00VAAoJEHidbwV/2GP+Hp0P/3nPV7uQCNNB4WpGfwpm+K/V
glRuC9M94sDbeSnyv4L+fqB986bSrsqkviEQzRxcvuBkMremLdbOxydQqKNrLFhy
XBSoi0dxkM1mK9cvU+GmhzK8vaaKQwCBaqkdvn+KKvZeX/4WUtXbuyqeCSt2aMgL
EdWaL3aRGmiaFXvqlOMT+XivGemcSwcxBzexVqBkfZc5cz9v+GXUl7vRvHi2EmTg
RNkwdwfVnv1wzrTOZM8aZUs3XXFFDZ6z1rY3c+B4SlYhQ+YJ9PKl77iT43oH/j0P
J7L7kHaTmR2UYcG5fS00qTvYwypyfSigaAcJXdEShrU47gW7qqDAGew1DEzpKvxG
3mHR0H9719BAb3H5Z+r5pRbLOpfsIXrGzbpdSiwXs+8rMoG0sOzhVaaGd2OKqY9q
irRXHDf8fl2vwifcNOnMzaeHIv+HIPo537eyifc2NhJQ//ppV0Sz9loKk1m/+N37
Em2fTb7wXK1mlAYoEN4qHqi/TOA+tJbIpGC97MUETo+wyfNr3LlwJCLGtFohs2m7
/omxrkeBDdA49bPsQ11hGen/nHOVW+Ak1wGLmoUfzLRntWARQopkM9KQTSS6dPa5
knMZfN/KRHUCUaVSkV/+yDgl0ijAcnaPlPFuGuXI1C+Z0f6cXCANm76iuIdtGfhb
llnF20h3g3VmORcqJ03z
=LIrf
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to