Skip Menu |

This queue is for tickets about the DBD-Pg CPAN distribution.

Report information
The Basics
Id: 75642
Status: resolved
Priority: 0/
Queue: DBD-Pg

People
Owner: Nobody in particular
Requestors: ntyni [...] iki.fi
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in:
  • 2.17.1
  • 2.18.1
  • 2.99.9_2
Fixed in: 2.19.0



Subject: Format string security issue with a malicious server
Hi, as reported in <http://bugs.debian.org/661536>, there are two format string errors in DBD-Pg that are caught by gcc -Werror=format-security. dbdimp.c: In function 'pg_warn': dbdimp.c:331:4: error: format not a string literal and no format arguments [-Werror=format-security] dbdimp.c: In function 'pg_st_prepare': dbdimp.c:1534:4: error: format not a string literal and no format arguments [-Werror=format-security] cc1: some warnings being treated as errors These strings can be controlled by a malicious server, so Debian will be issuing security updates for this. I'm not aware of a CVE id yet, but I expect one will be allocated. I won't write details here, let me know if you need a test case. It's unfortunate that this become public straight away, but our security team judged there was no point in keeping quiet about the impact when the build error was already known. Apologies for the inconvenience. Trivial patch attached. Thanks for your work on DBD-Pg, -- Niko Tyni ntyni@debian.org
Subject: 0001-Explicitly-warn-and-croak-with-controlled-format-str.patch
From f014710c05e4952385c8223a47bb1fcb7b48b51a Mon Sep 17 00:00:00 2001 From: Niko Tyni <ntyni@debian.org> Date: Sat, 3 Mar 2012 21:50:32 +0200 Subject: [PATCH] Explicitly warn and croak with controlled format strings This fixes builds with 'gcc -Werror=format-security'. --- dbdimp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dbdimp.c b/dbdimp.c index c298e85..7032f79 100644 --- a/dbdimp.c +++ b/dbdimp.c @@ -328,7 +328,7 @@ static void pg_warn (void * arg, const char * message) DBIc_is(imp_dbh, DBIcf_PrintWarn) ? 1 : 0); if (DBIc_WARN(imp_dbh) && DBIc_is(imp_dbh, DBIcf_PrintWarn)) - warn(message); + warn("%s", message); if (TEND) TRC(DBILOGFP, "%sEnd pg_warn\n", THEADER); } @@ -1531,7 +1531,7 @@ int dbd_st_prepare (SV * sth, imp_sth_t * imp_sth, char * statement, SV * attrib if (pg_st_prepare_statement(aTHX_ sth, imp_sth)!=0) { TRACE_PQERRORMESSAGE; - croak (PQerrorMessage(imp_dbh->conn)); + croak ("%s", PQerrorMessage(imp_dbh->conn)); } } -- 1.7.9.1
Thanks, we will try to get out a new version shortly.
From: greg [...] turnstep.com
Patch applied in 804e9ba5ead5dca7d3797becea31c2f24c845815
From: greg [...] turnstep.com
Version 2.19.0 sent to CPAN; please let me know if you have any problems with it, or feel it does not fix the problem.
Subject: Re: [rt.cpan.org #75642] Format string security issue with a malicious server
Date: Sat, 10 Mar 2012 13:20:07 +0200
To: Greg Sabino Mullane via RT <bug-DBD-Pg [...] rt.cpan.org>
From: Niko Tyni <ntyni [...] debian.org>
On Fri, Mar 09, 2012 at 08:09:43PM -0500, Greg Sabino Mullane via RT wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=75642 > > > Version 2.19.0 sent to CPAN; please let me know if you have any problems > with it, or feel it does not fix the problem.
Thanks for the quick release! I can confirm that 2.19.0 is no longer vulnerable according to my testcases. FYI, this has been assigned CVE-2012-1151. http://seclists.org/oss-sec/2012/q1/609 -- Niko Tyni ntyni@debian.org