Bug #75642 for DBD-Pg: Format string security issue with a malicious server

Fri Mar 09 01:27:56 2012 ntyni [...] iki.fi - Ticket created

Subject:

Format string security issue with a malicious server

Hi, as reported in <http://bugs.debian.org/661536>, there are two format string errors in DBD-Pg that are caught by gcc -Werror=format-security. dbdimp.c: In function 'pg_warn': dbdimp.c:331:4: error: format not a string literal and no format arguments [-Werror=format-security] dbdimp.c: In function 'pg_st_prepare': dbdimp.c:1534:4: error: format not a string literal and no format arguments [-Werror=format-security] cc1: some warnings being treated as errors These strings can be controlled by a malicious server, so Debian will be issuing security updates for this. I'm not aware of a CVE id yet, but I expect one will be allocated. I won't write details here, let me know if you need a test case. It's unfortunate that this become public straight away, but our security team judged there was no point in keeping quiet about the impact when the build error was already known. Apologies for the inconvenience. Trivial patch attached. Thanks for your work on DBD-Pg, -- Niko Tyni ntyni@debian.org

Subject:

0001-Explicitly-warn-and-croak-with-controlled-format-str.patch

From f014710c05e4952385c8223a47bb1fcb7b48b51a Mon Sep 17 00:00:00 2001 From: Niko Tyni <ntyni@debian.org> Date: Sat, 3 Mar 2012 21:50:32 +0200 Subject: [PATCH] Explicitly warn and croak with controlled format strings This fixes builds with 'gcc -Werror=format-security'. --- dbdimp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dbdimp.c b/dbdimp.c index c298e85..7032f79 100644 --- a/dbdimp.c +++ b/dbdimp.c @@ -328,7 +328,7 @@ static void pg_warn (void * arg, const char * message) DBIc_is(imp_dbh, DBIcf_PrintWarn) ? 1 : 0); if (DBIc_WARN(imp_dbh) && DBIc_is(imp_dbh, DBIcf_PrintWarn)) - warn(message); + warn("%s", message); if (TEND) TRC(DBILOGFP, "%sEnd pg_warn\n", THEADER); } @@ -1531,7 +1531,7 @@ int dbd_st_prepare (SV * sth, imp_sth_t * imp_sth, char * statement, SV * attrib if (pg_st_prepare_statement(aTHX_ sth, imp_sth)!=0) { TRACE_PQERRORMESSAGE; - croak (PQerrorMessage(imp_dbh->conn)); + croak ("%s", PQerrorMessage(imp_dbh->conn)); } } -- 1.7.9.1

Fri Mar 09 08:36:27 2012 greg [...] turnstep.com - Correspondence added

Thanks, we will try to get out a new version shortly.

Fri Mar 09 08:36:29 2012 The RT System itself - Status changed from 'new' to 'open'

Fri Mar 09 11:05:46 2012 greg [...] turnstep.com - Correspondence added

From:

greg [...] turnstep.com

Patch applied in 804e9ba5ead5dca7d3797becea31c2f24c845815

Fri Mar 09 20:09:42 2012 greg [...] turnstep.com - Correspondence added

From:

greg [...] turnstep.com

Version 2.19.0 sent to CPAN; please let me know if you have any problems with it, or feel it does not fix the problem.

Sat Mar 10 06:20:21 2012 ntyni [...] debian.org - Correspondence added

Subject:	Re: [rt.cpan.org #75642] Format string security issue with a malicious server
Date:	Sat, 10 Mar 2012 13:20:07 +0200
To:	Greg Sabino Mullane via RT <bug-DBD-Pg [...] rt.cpan.org>
From:	Niko Tyni <ntyni [...] debian.org>

On Fri, Mar 09, 2012 at 08:09:43PM -0500, Greg Sabino Mullane via RT wrote: Show quoted text

> <URL: https://rt.cpan.org/Ticket/Display.html?id=75642 > > > Version 2.19.0 sent to CPAN; please let me know if you have any problems > with it, or feel it does not fix the problem.

Thanks for the quick release! I can confirm that 2.19.0 is no longer vulnerable according to my testcases. FYI, this has been assigned CVE-2012-1151. http://seclists.org/oss-sec/2012/q1/609 -- Niko Tyni ntyni@debian.org

Tue Aug 21 13:36:19 2012 greg [...] turnstep.com - Severity Important changed to Critical

Tue Aug 21 13:36:19 2012 greg [...] turnstep.com - Fixed in 2.19.0 added

Tue Aug 21 13:36:19 2012 greg [...] turnstep.com - Status changed from 'open' to 'resolved'