Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 03 Oct 2016 19:19:11 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Subject: CVE-2016-1246: Buffer overflow in DBD-mysql error reporting (Perl DBI module)

When a reporting a variable bind error, DBD-mysql would try to
construct the error message in a fixed-size buffer on the stack,
possibly leading to arbitrary code execution.

It depends on the application whether untrusted data is included in
the error message.  -D_FORTIFY_SOURCE=2 would catch this and turn the
issue into a mere crash.

Upstream commit:

  <https://github.com/perl5-dbi/DBD-mysql/commit/7c164a0c86cec6ee95df1d141e67b0e85dfdefd2>

Upstream credits Pali Rohár with reporting and fixing this issue.

Here is what I used to validate the patch:

use strict;
use warnings;

use DBI;

my $dbh = DBI->connect("DBI:mysql:mysql:",
                       "root", "",
                       { PrintError => 0, RaiseError => 1});

$dbh->do('CREATE TEMPORARY TABLE t (i INTEGER NOT NULL)');
$dbh->begin_work;
my $st = $dbh->prepare('INSERT INTO t VALUES (?)');
$st->bind_param(1, 'X' x 64, DBI::SQL_INTEGER);
$dbh->commit;

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ