Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: debian-p...@lists.debian.org
[ Reason ] libdbi-perl is still vulnerable to CVE-2014-10401: DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute. [ Impact ] Moderate vulnerability [ Tests ] Upstream test related to this issue is included in this patch [ Risks ] Low risk, patch is simple and test is provided [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Just a better check of user's arguments
diff --git a/debian/changelog b/debian/changelog index 3ea2f5e..33cbebf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +libdbi-perl (1.642-1+deb10u2) buster; urgency=medium + + [ Salvatore Bonaccorso ] + * t/51dbm_file.t: add test from RT#99508 + * lib/DBD/File.pm: fix CVE-2014-10401 (Closes: #972180) + + -- Xavier Guimard <y...@debian.org> Thu, 29 Oct 2020 07:35:08 +0100 + libdbi-perl (1.642-1+deb10u1) buster; urgency=medium * Fix memory corruption in XS functions when Perl stack is reallocated diff --git a/debian/patches/lib-DBD-File.pm-fix-CVE-2014-10401.patch b/debian/patches/lib-DBD-File.pm-fix-CVE-2014-10401.patch new file mode 100644 index 0000000..178349f --- /dev/null +++ b/debian/patches/lib-DBD-File.pm-fix-CVE-2014-10401.patch @@ -0,0 +1,43 @@ +From: Jens Rehsack <s...@netbsd.org> +Date: Tue, 6 Oct 2020 10:22:17 +0200 +Subject: [2/2] lib/DBD/File.pm: fix CVE-2014-10401 +Origin: https://github.com/perl5-dbi/dbi/commit/19d0fb169eed475e1c053e99036b8668625cfa94 +Bug: https://github.com/perl5-dbi/dbi/pull/93 +Bug-Debian: https://bugs.debian.org/972180 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2014-10402 + +Dig into the root cause of RT#99508 - which resulted in CVE-2014-10401 - and +figure out that DBI->parse_dsn is the wrong helper to parse our attributes in +DSN, since in DBD::dr::connect only the "dbname" remains from DSN which causes +parse_dsn to bailout. + +Parsing on our own similar to parse_dsn shows the way out. + +Signed-off-by: Jens Rehsack <s...@netbsd.org> +--- + lib/DBD/File.pm | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/lib/DBD/File.pm ++++ b/lib/DBD/File.pm +@@ -109,7 +109,11 @@ + # We do not (yet) care about conflicting attributes here + # my $dbh = DBI->connect ("dbi:CSV:f_dir=test", undef, undef, { f_dir => "text" }); + # will test here that both test and text should exist +- if (my $attr_hash = (DBI->parse_dsn ($dbname))[3]) { ++ # ++ # Parsing on our own similar to parse_dsn to find attributes in 'dbname' parameter. ++ if ($dbname) { ++ my @attrs = split /;/ => $dbname; ++ my $attr_hash = { map { split /\s*=>?\s*|\s*,\s*/, $_} @attrs }; + if (defined $attr_hash->{f_dir} && ! -d $attr_hash->{f_dir}) { + my $msg = "No such directory '$attr_hash->{f_dir}"; + $drh->set_err (2, $msg); +@@ -120,7 +124,6 @@ + if ($attr and defined $attr->{f_dir} && ! -d $attr->{f_dir}) { + my $msg = "No such directory '$attr->{f_dir}"; + $drh->set_err (2, $msg); +- $attr->{RaiseError} and croak $msg; + return; + } + diff --git a/debian/patches/series b/debian/patches/series index 1b64514..f2bb032 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,3 +5,5 @@ spelling.patch CVE-2020-14392.patch CVE-2020-14393.patch CVE-2019-20919.patch +t-51dbm_file.t-add-test-from-RT-99508.patch +lib-DBD-File.pm-fix-CVE-2014-10401.patch diff --git a/debian/patches/t-51dbm_file.t-add-test-from-RT-99508.patch b/debian/patches/t-51dbm_file.t-add-test-from-RT-99508.patch new file mode 100644 index 0000000..a1a1085 --- /dev/null +++ b/debian/patches/t-51dbm_file.t-add-test-from-RT-99508.patch @@ -0,0 +1,55 @@ +From: Jens Rehsack <s...@netbsd.org> +Date: Tue, 6 Oct 2020 08:23:55 +0200 +Subject: [1/2] t/51dbm_file.t: add test from RT#99508 +Origin: https://github.com/perl5-dbi/dbi/commit/27b10b5c3aacabc091046beaba478e671bb6111c +Bug: https://github.com/perl5-dbi/dbi/pull/93 +Bug-Debian: https://bugs.debian.org/972180 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2014-10402 + +Add test with f_dir="something-not-existing" as reported in RT#99508 +to verify when it's fixed for real. + +Signed-off-by: Jens Rehsack <s...@netbsd.org> +--- + t/51dbm_file.t | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/t/51dbm_file.t ++++ b/t/51dbm_file.t +@@ -15,6 +15,27 @@ + + do "./t/lib.pl"; + ++{ ++ # test issue reported in RT#99508 ++ my @msg; ++ eval { ++ local $SIG{__DIE__} = sub { push @msg, @_ }; ++ my $dbh = DBI->connect ("dbi:DBM:f_dir=./hopefully-doesnt-existst;sql_identifier_case=1;RaiseError=1"); ++ }; ++ like ("@msg", qr{.*hopefully-doesnt-existst.*}, "Cannot open from non-existing directory with attributes in DSN"); ++ ++ @msg = (); ++ eval { ++ local $SIG{__DIE__} = sub { push @msg, @_ }; ++ my $dbh = DBI->connect ("dbi:DBM:", , undef, undef, { ++ f_dir => "./hopefully-doesnt-existst", ++ sql_identifier_case => 1, ++ RaiseError => 1, ++ }); ++ }; ++ like ("@msg", qr{.*hopefully-doesnt-existst}, "Cannot open from non-existing directory with attributes in HASH"); ++} ++ + my $dir = test_dir(); + + my $dbh = DBI->connect( 'dbi:DBM:', undef, undef, { +@@ -23,6 +44,8 @@ + } + ); + ++ok( $dbh, "Connect with driver attributes in hash" ); ++ + ok( $dbh->do(q/drop table if exists FRED/), 'drop table' ); + + my $dirfext = $^O eq 'VMS' ? '.sdbm_dir' : '.dir';
