Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <11e8c352-5318-4566-ada9-8a82d8428529@cpansec.org>
Date: Tue, 14 Jul 2026 16:36:34 +0100
From: Robert Rothenberg <rrwo@...nsec.org>
To: cve-announce@...urity.metacpan.org, oss-security@...ts.openwall.com
Subject: CVE-2026-60082: DBI versions before 1.651 for Perl do not enforce
 statement handle consistency with the row


========================================================================
CVE-2026-60082                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-60082
   Distribution:  DBI
       Versions:  before 1.651

       MetaCPAN:  https://metacpan.org/dist/DBI
       VCS Repo:  https://github.com/perl5-dbi/dbi


DBI versions before 1.651 for Perl do not enforce statement handle
consistency with the row

Description
-----------
DBI versions before 1.651 for Perl do not enforce statement handle
consistency with the row.

When the statement handle had no fields but the source row was
non-empty, the internal row-buffer helper would read from a negative
array index.

This could be triggered by a caller supplying inconsistent metadata and
rows to the prepare method.

Problem types
-------------
- CWE-125 Out-of-bounds Read

Solutions
---------
Upgrade to version 1.651 or later.


References
----------
https://github.com/perl5-dbi/dbi/security/advisories/GHSA-rwhc-hhmv-cjvg
https://metacpan.org/release/HMBRAND/DBI-1.651/changes
https://github.com/perl5-dbi/dbi/commit/397868704291bbf0989b97e2c0661189890653e2.patch



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.