Subject: | Format string security issue with a malicious server |
Hi,
as reported in <http://bugs.debian.org/661536>, there are two format
string errors in DBD-Pg that are caught by gcc -Werror=format-security.
dbdimp.c: In function 'pg_warn':
dbdimp.c:331:4: error: format not a string literal and no format
arguments [-Werror=format-security]
dbdimp.c: In function 'pg_st_prepare':
dbdimp.c:1534:4: error: format not a string literal and no format
arguments [-Werror=format-security]
cc1: some warnings being treated as errors
These strings can be controlled by a malicious server, so Debian will be
issuing security updates for this. I'm not aware of a CVE id yet, but I
expect one will be allocated. I won't write details here, let me know if
you need a test case.
It's unfortunate that this become public straight away, but our security
team judged there was no point in keeping quiet about the impact when
the build error was already known. Apologies for the inconvenience.
Trivial patch attached.
Thanks for your work on DBD-Pg,
--
Niko Tyni
ntyni@debian.org
Subject: | 0001-Explicitly-warn-and-croak-with-controlled-format-str.patch |
From f014710c05e4952385c8223a47bb1fcb7b48b51a Mon Sep 17 00:00:00 2001
From: Niko Tyni <ntyni@debian.org>
Date: Sat, 3 Mar 2012 21:50:32 +0200
Subject: [PATCH] Explicitly warn and croak with controlled format strings
This fixes builds with 'gcc -Werror=format-security'.
---
dbdimp.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/dbdimp.c b/dbdimp.c
index c298e85..7032f79 100644
--- a/dbdimp.c
+++ b/dbdimp.c
@@ -328,7 +328,7 @@ static void pg_warn (void * arg, const char * message)
DBIc_is(imp_dbh, DBIcf_PrintWarn) ? 1 : 0);
if (DBIc_WARN(imp_dbh) && DBIc_is(imp_dbh, DBIcf_PrintWarn))
- warn(message);
+ warn("%s", message);
if (TEND) TRC(DBILOGFP, "%sEnd pg_warn\n", THEADER);
}
@@ -1531,7 +1531,7 @@ int dbd_st_prepare (SV * sth, imp_sth_t * imp_sth, char * statement, SV * attrib
if (pg_st_prepare_statement(aTHX_ sth, imp_sth)!=0) {
TRACE_PQERRORMESSAGE;
- croak (PQerrorMessage(imp_dbh->conn));
+ croak ("%s", PQerrorMessage(imp_dbh->conn));
}
}
--
1.7.9.1