/ 
DBI-1.646
⭐ Starred 84 / dbilogstrip
Security Advisories (2)
CVE-2026-10879 (2026-06-05)

DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder in the buffer. Placeholders 10-99 require four characters, 100-999 require five characters, et cetera.

CVE-2026-9698 (2026-06-09)

DBI versions before 1.648 for Perl saved errors in a limited-sized buffer. Error messages that were returned when RaiseError, PrintError or HandleError were set were written to a 200-byte buffer without a length limit. Attackers that can influence the error text in an application can trigger a buffer overflow.

NAME

dbilogstrip - filter to normalize DBI trace logs for diff'ing

SYNOPSIS

Read DBI trace file dbitrace.log and write out a stripped version to dbitrace_stripped.log

dbilogstrip dbitrace.log > dbitrace_stripped.log

Run yourscript.pl twice, each with different sets of arguments, with DBI_TRACE enabled. Filter the output and trace through dbilogstrip into a separate file for each run. Then compare using diff. (This example assumes you're using a standard shell.)

DBI_TRACE=2 perl yourscript.pl ...args1... 2>&1 | dbilogstrip > dbitrace1.log
DBI_TRACE=2 perl yourscript.pl ...args2... 2>&1 | dbilogstrip > dbitrace2.log
diff -u dbitrace1.log dbitrace2.log

DESCRIPTION

Replaces any hex addresses, e.g, 0x128f72ce with 0xN.

Replaces any references to process id or thread id, like pid#6254 with pidN.

So a DBI trace line like this:

-> STORE for DBD::DBM::st (DBI::st=HASH(0x19162a0)~0x191f9c8 'f_params' ARRAY(0x1922018)) thr#1800400

will look like this:

-> STORE for DBD::DBM::st (DBI::st=HASH(0xN)~0xN 'f_params' ARRAY(0xN)) thrN