Security Advisories (9)
A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data.
An untrusted pointer dereference flaw was found in Perl-DBI < 1.643. A local attacker who is able to manipulate calls to dbd_db_login6_sv() could cause memory corruption, affecting the service's availability.
- https://metacpan.org/changes/distribution/DBI
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXLKODJ7B57GITDEZZXNSHPK4VBYXYHR/
- https://bugzilla.redhat.com/show_bug.cgi?id=1877402
- https://bugzilla.redhat.com/show_bug.cgi?id=1877402
- https://lists.debian.org/debian-lts-announce/2020/09/msg00026.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00067.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00074.html
- https://usn.ubuntu.com/4503-1/
An issue was discovered in the DBI module before 1.643 for Perl. The hv_fetch() documentation requires checking for NULL and the code does that. But, shortly thereafter, it calls SvOK(profile), causing a NULL pointer dereference.
- https://metacpan.org/changes/distribution/DBI
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXLKODJ7B57GITDEZZXNSHPK4VBYXYHR/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20919
- https://github.com/perl5-dbi/dbi/commit/eca7d7c8f43d96f6277e86d1000e842eb4cc67ff
- https://bugzilla.redhat.com/show_bug.cgi?id=1877405
- https://lists.debian.org/debian-lts-announce/2020/09/msg00026.html
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/US6VXPKVAYHOKNFSAFLM3FWNYZSJKQHS/
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KJN7E27GD6QQ2CRGEJ3TNW2DJFXA2AKN/
- https://ubuntu.com/security/notices/USN-4534-1
DBD::File drivers open files from folders other than specifically passed using the f_dir attribute.
An issue was discovered in the DBI module through 1.643 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). NOTE: this issue exists because of an incomplete fix for CVE-2014-10401.
An issue was discovered in the DBI module before 1.632 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute.
- https://rt.cpan.org/Public/Bug/Display.html?id=99508
- https://metacpan.org/pod/distribution/DBI/Changes#Changes-in-DBI-1.632-9th-Nov-2014
- https://github.com/perl5-dbi/dbi/commit/caedc0d7d602f5b2ae5efc1b00f39efeafb7b05a
- https://usn.ubuntu.com/4509-1/
- https://metacpan.org/release/HMBRAND/DBI-1.643_01/view/Changes
An issue was discovered in the DBI module before 1.632 for Perl. Using many arguments to methods for Callbacks may lead to memory corruption.
DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder in the buffer. Placeholders 10-99 require four characters, 100-999 require five characters, et cetera.
DBI versions before 1.648 for Perl saved errors in a limited-sized buffer. Error messages that were returned when RaiseError, PrintError or HandleError were set were written to a 200-byte buffer without a length limit. Attackers that can influence the error text in an application can trigger a buffer overflow.
NAME
dbilogstrip - filter to normalize DBI trace logs for diff'ing
SYNOPSIS
Read DBI trace file dbitrace.log and write out a stripped version to dbitrace_stripped.log
dbilogstrip dbitrace.log > dbitrace_stripped.logRun yourscript.pl twice, each with different sets of arguments, with DBI_TRACE enabled. Filter the output and trace through dbilogstrip into a separate file for each run. Then compare using diff. (This example assumes you're using a standard shell.)
DBI_TRACE=2 perl yourscript.pl ...args1... 2>&1 | dbilogstrip > dbitrace1.log
DBI_TRACE=2 perl yourscript.pl ...args2... 2>&1 | dbilogstrip > dbitrace2.log
diff -u dbitrace1.log dbitrace2.logDESCRIPTION
Replaces any hex addresses, e.g, 0x128f72ce with 0xN.
Replaces any references to process id or thread id, like pid#6254 with pidN.
So a DBI trace line like this:
-> STORE for DBD::DBM::st (DBI::st=HASH(0x19162a0)~0x191f9c8 'f_params' ARRAY(0x1922018)) thr#1800400will look like this:
-> STORE for DBD::DBM::st (DBI::st=HASH(0xN)~0xN 'f_params' ARRAY(0xN)) thrNModule Install Instructions
To install DBI, copy and paste the appropriate command in to your terminal.
cpanm DBIperl -MCPAN -e shell
install DBIFor more information on module installation, please visit the detailed CPAN module installation guide.