|
Message-ID: <87oa31xsds.fsf@mid.deneb.enyo.de> Date: Mon, 03 Oct 2016 19:19:11 +0200 From: Florian Weimer <fw@...eb.enyo.de> To: oss-security@...ts.openwall.com Subject: CVE-2016-1246: Buffer overflow in DBD-mysql error reporting (Perl DBI module) When a reporting a variable bind error, DBD-mysql would try to construct the error message in a fixed-size buffer on the stack, possibly leading to arbitrary code execution. It depends on the application whether untrusted data is included in the error message. -D_FORTIFY_SOURCE=2 would catch this and turn the issue into a mere crash. Upstream commit: <https://github.com/perl5-dbi/DBD-mysql/commit/7c164a0c86cec6ee95df1d141e67b0e85dfdefd2> Upstream credits Pali Rohár with reporting and fixing this issue. Here is what I used to validate the patch: use strict; use warnings; use DBI; my $dbh = DBI->connect("DBI:mysql:mysql:", "root", "", { PrintError => 0, RaiseError => 1}); $dbh->do('CREATE TEMPORARY TABLE t (i INTEGER NOT NULL)'); $dbh->begin_work; my $st = $dbh->prepare('INSERT INTO t VALUES (?)'); $st->bind_param(1, 'X' x 64, DBI::SQL_INTEGER); $dbh->commit;
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.