Security Advisories (9)
A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data.
An untrusted pointer dereference flaw was found in Perl-DBI < 1.643. A local attacker who is able to manipulate calls to dbd_db_login6_sv() could cause memory corruption, affecting the service's availability.
- https://metacpan.org/changes/distribution/DBI
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXLKODJ7B57GITDEZZXNSHPK4VBYXYHR/
- https://bugzilla.redhat.com/show_bug.cgi?id=1877402
- https://bugzilla.redhat.com/show_bug.cgi?id=1877402
- https://lists.debian.org/debian-lts-announce/2020/09/msg00026.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00067.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00074.html
- https://usn.ubuntu.com/4503-1/
An issue was discovered in the DBI module before 1.643 for Perl. The hv_fetch() documentation requires checking for NULL and the code does that. But, shortly thereafter, it calls SvOK(profile), causing a NULL pointer dereference.
- https://metacpan.org/changes/distribution/DBI
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXLKODJ7B57GITDEZZXNSHPK4VBYXYHR/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20919
- https://github.com/perl5-dbi/dbi/commit/eca7d7c8f43d96f6277e86d1000e842eb4cc67ff
- https://bugzilla.redhat.com/show_bug.cgi?id=1877405
- https://lists.debian.org/debian-lts-announce/2020/09/msg00026.html
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/US6VXPKVAYHOKNFSAFLM3FWNYZSJKQHS/
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KJN7E27GD6QQ2CRGEJ3TNW2DJFXA2AKN/
- https://ubuntu.com/security/notices/USN-4534-1
An issue was discovered in the DBI module through 1.643 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). NOTE: this issue exists because of an incomplete fix for CVE-2014-10401.
DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder in the buffer. Placeholders 10-99 require four characters, 100-999 require five characters, et cetera.
DBI versions before 1.648 for Perl saved errors in a limited-sized buffer. Error messages that were returned when RaiseError, PrintError or HandleError were set were written to a 200-byte buffer without a length limit. Attackers that can influence the error text in an application can trigger a buffer overflow.
DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders. The fix for CVE-2026-10879 did not allocate enough memory to handle approximately 1.2-million placeholders. DBI version 1.650 sets a hard limit of 99,999 placeholders.
DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment. The preparse method normalises SQL and removes comments. When the SQL starts with a comment line, the deletion of that line during normalisation led to an out-of-bounds read by one byte. The result is a fault on memory-hardened builds and nondeterministic newline retention on normal builds.
DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile. When a string is assigned to a DBI handle's Profile attribute, DBI splits it into path, package and arguments, and interpolates the package part in a string eval with no validation of the package name. Any caller-influenced value that reaches the Profile attribute is therefore arbitrary Perl code execution, including calls to run system commands. The Profile attribute can be set from three different sources that can carry untrusted data: the DBI_PROFILE environment variable, a direct attribute assignment, and a DSN driver-attribute clause dbi:Driver(Profile=>SPEC):db. An attacker controlling any of those inputs runs arbitrary Perl in the host process. The strongest remote position is a network-exposed DBI::Gofer / DBI::ProxyServer whose per-request DSN reaches the Profile attribute, letting a client execute code on the broker host.
NAME
Bundle::DBI - A bundle to install DBI and required modules.
SYNOPSIS
perl -MCPAN -e 'install Bundle::DBI'
CONTENTS
DBI - for to get to know thyself
DBI::Shell 11.91 - the DBI command line shell
Storable 2.06 - for DBD::Proxy, DBI::ProxyServer, DBD::Forward
Net::Daemon 0.37 - for DBD::Proxy and DBI::ProxyServer
RPC::PlServer 0.2016 - for DBD::Proxy and DBI::ProxyServer
DBD::Multiplex 1.19 - treat multiple db handles as one
DESCRIPTION
This bundle includes all the modules used by the Perl Database Interface (DBI) module, created by Tim Bunce.
A Bundle is a module that simply defines a collection of other modules. It is used by the CPAN module to automate the fetching, building and installing of modules from the CPAN ftp archive sites.
This bundle does not deal with the various database drivers (e.g. DBD::Informix, DBD::Oracle etc), most of which require software from sources other than CPAN. You'll need to fetch and build those drivers yourself.
AUTHORS
Jonathan Leffler, Jochen Wiedmann and Tim Bunce.
Module Install Instructions
To install DBI, copy and paste the appropriate command in to your terminal.
cpanm DBI
perl -MCPAN -e shell
install DBI
For more information on module installation, please visit the detailed CPAN module installation guide.