Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1b27f4cf-c895-47ff-b13f-fca68568dd3b@cpansec.org>
Date: Tue, 14 Jul 2026 10:45:35 +0100
From: Robert Rothenberg <rrwo@...nsec.org>
To: cve-announce@...urity.metacpan.org, oss-security@...ts.openwall.com
Subject: CVE-2026-15043: DBI::SQL::Nano versions from 1.42 before 1.651 for
 Perl have inverted <= and >= SQL operators on text

========================================================================
CVE-2026-15043                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-15043
   Distribution:  DBI
       Versions:  from 1.42 before 1.651

       MetaCPAN:  https://metacpan.org/dist/DBI
       VCS Repo:  https://github.com/perl5-dbi/dbi


DBI::SQL::Nano versions from 1.42 before 1.651 for Perl have inverted
<= and >= SQL operators on text

Description
-----------
DBI::SQL::Nano versions from 1.42 before 1.651 for Perl have inverted
<= and >= SQL operators on text.

DBI::SQL::Nano, DBI's built-in mini-SQL engine, evaluated WHERE
predicates incorrectly in some cases. In the non-numeric string branch
of the is_matched method, <= was evaluated using Perl's ge operator,
and >= was evaluated using Perl's le operator.

SQL::Nano is the fallback query engine for DBI's file-backed drivers
(DBD::File, DBD::DBM, CSV-style drivers) whenever SQL::Statement is not
installed, and is forced whenever DBI_SQL_NANO=1. Queries over such
tables use these predicates directly.

The impact depends on the context. Where an application relies on a
WHERE clause to filter file-backed data for policy or authorization, an
inverted <=/>= comparison silently returns the wrong rows.

Problem types
-------------
- CWE-480 Use of Incorrect Operator

Workarounds
-----------
For deployments that cannot upgrade, apply the patch or install
SQL::Statement.


Solutions
---------
Upgrade to DBI 1.651 or later.


References
----------
https://github.com/perl5-dbi/dbi/security/advisories/GHSA-mv45-ff6j-x9jp
https://github.com/perl5-dbi/dbi/commit/e9742ef85a75867cbd696860e3bf3e32b681f98d.patch

Timeline
--------
- 2004-03-12: Version 1.42 released with DBI::SQL::Nano.
- 2026-07-10: Patch that fixes DBI::SQL::Nano merged.
- 2026-07-14: Version 1.651 released.



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.