Your message dated Sun, 11 Mar 2012 23:47:09 +0000
with message-id <[email protected]>
and subject line Bug#661536: fixed in libdbd-pg-perl 2.17.1-2+squeeze1
has caused the Debian Bug report #661536,
regarding libdbd-pg-perl: CVE-2012-1151: Format string vulnerabilities in
server error parsing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
661536: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661536
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libdbd-pg-perl
Severity: normal
Version: 2.18.1-1
With hardening flags enabled, this package FTBFS:
dbdimp.c: In function 'pg_warn':
dbdimp.c:331:4: error: format not a string literal and no format arguments
[-Werror=format-security]
dbdimp.c: In function 'pg_st_prepare':
dbdimp.c:1534:4: error: format not a string literal and no format arguments
[-Werror=format-security]
cc1: some warnings being treated as errors
(this is the first error of this type seen: it's possible that there
could be others once this is fixed).
A likely fix is to change croak(var) to croak("%s", var)[1], or similar.
Note that I haven't verified whether an externally-controlled string is
used; if so, it would be appropriate to upgrade this bug RC severity
with the security tag[2].
This was found during testing of perl 5.14.2-8 in experimental; however,
since that version was prepared, it has been decided not to export
those build flags in Config_heay.pl. Nevertheless, it is likely that at
some point, either in debhelper 9 or 10, the hardening flags will be
enabled for all perl modules.
Thanks,
Dominic.
[1] <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657853#92>
[2] <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657853#117>
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
--- End Message ---
--- Begin Message ---
Source: libdbd-pg-perl
Source-Version: 2.17.1-2+squeeze1
We believe that the bug you reported is fixed in the latest version of
libdbd-pg-perl, which is due to be installed in the Debian FTP archive:
libdbd-pg-perl_2.17.1-2+squeeze1.debian.tar.gz
to main/libd/libdbd-pg-perl/libdbd-pg-perl_2.17.1-2+squeeze1.debian.tar.gz
libdbd-pg-perl_2.17.1-2+squeeze1.dsc
to main/libd/libdbd-pg-perl/libdbd-pg-perl_2.17.1-2+squeeze1.dsc
libdbd-pg-perl_2.17.1-2+squeeze1_amd64.deb
to main/libd/libdbd-pg-perl/libdbd-pg-perl_2.17.1-2+squeeze1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libdbd-pg-perl
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 10 Mar 2012 09:38:13 +0100
Source: libdbd-pg-perl
Binary: libdbd-pg-perl
Architecture: source amd64
Version: 2.17.1-2+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description:
libdbd-pg-perl - Perl DBI driver for the PostgreSQL database server
Closes: 661536
Changes:
libdbd-pg-perl (2.17.1-2+squeeze1) stable-security; urgency=high
.
* Add format-error.patch patch
[SECURITY] CVE-2012-1151. Explicitly warn and croak with controlled
format strings.
Thanks to Niko Tyni <[email protected]> for the patch (Closes: #661536)
Checksums-Sha1:
9ab599ac289f6dc3327a04b193d4645e36518217 2421
libdbd-pg-perl_2.17.1-2+squeeze1.dsc
9346e6937a1dcc27d7da6f8aeb3f897bd8b39332 231523
libdbd-pg-perl_2.17.1.orig.tar.gz
a9238cf1c4b019b0985628a14ed76ace5b5798f0 9726
libdbd-pg-perl_2.17.1-2+squeeze1.debian.tar.gz
5e4cb0901dfe9401c30c842eb596bbe0eb78e59c 226334
libdbd-pg-perl_2.17.1-2+squeeze1_amd64.deb
Checksums-Sha256:
c1e99715f2b49b6122aca64fe603dd305639804f26c4c7b78bf62dabb93376d8 2421
libdbd-pg-perl_2.17.1-2+squeeze1.dsc
33dbcca1247a0784d9bcb4eaaf241835675e531ec4b7984f1f1b78016ac283fd 231523
libdbd-pg-perl_2.17.1.orig.tar.gz
f6cdca0e175dc765f39be73ee817b8d3f7f938e0da2593e05b487d3d0d9c0632 9726
libdbd-pg-perl_2.17.1-2+squeeze1.debian.tar.gz
cb9fbbe98d15750ee9d7cdf30cc1d9b2f51a527f3d01d159a3ba28ba5b608591 226334
libdbd-pg-perl_2.17.1-2+squeeze1_amd64.deb
Files:
9dfb255f1330fecf555da7a05e0da548 2421 perl optional
libdbd-pg-perl_2.17.1-2+squeeze1.dsc
96b24b29d876bbbcc7c194115917a2f0 231523 perl optional
libdbd-pg-perl_2.17.1.orig.tar.gz
928e773dd88a202ed41e128ab6c1cc7a 9726 perl optional
libdbd-pg-perl_2.17.1-2+squeeze1.debian.tar.gz
3e0acf7053fa6d2c228e37c778a0b64e 226334 perl optional
libdbd-pg-perl_2.17.1-2+squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPW1d4AAoJEHidbwV/2GP+yiIQALQ1+7DRXeEzsGMwu8UEZn4b
oMeAcBQCXq8UyYlRx1cWXhHkjCAVO6WnV3nrvQi/3/bU1DJhbphxJwn68Ra4HgNW
Prfy3y7Hf9on/cUnQThX9Xi5tZxMg29g4gB70XrIN/MRWu3rBG/gb+B6RuR1Vs7v
M5MzTripoZ5foGxomT2p0YIcNa8C0FZuHUtYuRFzOiTrg5OBk9C0T7Nz4LncLf2p
KREcpVQd8ES48WPkeDFQA9AjW/jOuB9x/CbiweIqHb+bwHvSbDNEa9FUQUDPjD5t
8cYP/JVPj5iHd4rkMAg5AE3VpwS5vk8711Q/G8kD8fpqPTYTqDtzbZ2IbfVkwfvc
+VNJTcxkKCrNvRpnbFmzZu0A8bTcM8cKsrJPJ/1CAb6Uh5R0DavxBB8W/6BuJT6c
YHDshUvIxgF15cmq1KPanqGPQIDdbmqv5+36OjBCCw9lGOgpHmU6sk0aU95tKNro
U8zs+phX+OEBp3tfCEvGIFp7gN3QgULS3BGANB3wqaewZ+lkWPLDhnwrnBtgJH6+
9RVqtLoNBp7MA0DXaU8Cxac4FZfVK68ZJ8/dTLBh28W0R/kvmYcENBNQ1UyZVR4K
qNTugiU/aSMp+VaLX4TfRLE0q7T6h6PVBcjyzfIangLEb2VLq7UtWjY78MeRh6zP
bU8J3vlkwl9/aWqoWLhC
=is0g
-----END PGP SIGNATURE-----
--- End Message ---
