Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 03 Oct 2016 19:19:11 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Subject: CVE-2016-1246: Buffer overflow in DBD-mysql error reporting (Perl DBI module)

When a reporting a variable bind error, DBD-mysql would try to
construct the error message in a fixed-size buffer on the stack,
possibly leading to arbitrary code execution.

It depends on the application whether untrusted data is included in
the error message.  -D_FORTIFY_SOURCE=2 would catch this and turn the
issue into a mere crash.

Upstream commit:

  <https://github.com/perl5-dbi/DBD-mysql/commit/7c164a0c86cec6ee95df1d141e67b0e85dfdefd2>

Upstream credits Pali Rohár with reporting and fixing this issue.

Here is what I used to validate the patch:

use strict;
use warnings;

use DBI;

my $dbh = DBI->connect("DBI:mysql:mysql:",
                       "root", "",
                       { PrintError => 0, RaiseError => 1});

$dbh->do('CREATE TEMPORARY TABLE t (i INTEGER NOT NULL)');
$dbh->begin_work;
my $st = $dbh->prepare('INSERT INTO t VALUES (?)');
$st->bind_param(1, 'X' x 64, DBI::SQL_INTEGER);
$dbh->commit;

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.