Bug#973342: buster-pu: package libdbi-perl/1.642-1+deb10u2
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: debian-perl@lists.debian.org
[ Reason ]
libdbi-perl is still vulnerable to CVE-2014-10401: DBD::File drivers can
open files from folders other than those specifically passed via the f_dir
attribute.
[ Impact ]
Moderate vulnerability
[ Tests ]
Upstream test related to this issue is included in this patch
[ Risks ]
Low risk, patch is simple and test is provided
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Just a better check of user's arguments
diff --git a/debian/changelog b/debian/changelog
index 3ea2f5e..33cbebf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libdbi-perl (1.642-1+deb10u2) buster; urgency=medium
+
+ [ Salvatore Bonaccorso ]
+ * t/51dbm_file.t: add test from RT#99508
+ * lib/DBD/File.pm: fix CVE-2014-10401 (Closes: #972180)
+
+ -- Xavier Guimard <yadd@debian.org> Thu, 29 Oct 2020 07:35:08 +0100
+
libdbi-perl (1.642-1+deb10u1) buster; urgency=medium
* Fix memory corruption in XS functions when Perl stack is reallocated
diff --git a/debian/patches/lib-DBD-File.pm-fix-CVE-2014-10401.patch b/debian/patches/lib-DBD-File.pm-fix-CVE-2014-10401.patch
new file mode 100644
index 0000000..178349f
--- /dev/null
+++ b/debian/patches/lib-DBD-File.pm-fix-CVE-2014-10401.patch
@@ -0,0 +1,43 @@
+From: Jens Rehsack <sno@netbsd.org>
+Date: Tue, 6 Oct 2020 10:22:17 +0200
+Subject: [2/2] lib/DBD/File.pm: fix CVE-2014-10401
+Origin: https://github.com/perl5-dbi/dbi/commit/19d0fb169eed475e1c053e99036b8668625cfa94
+Bug: https://github.com/perl5-dbi/dbi/pull/93
+Bug-Debian: https://bugs.debian.org/972180
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2014-10402
+
+Dig into the root cause of RT#99508 - which resulted in CVE-2014-10401 - and
+figure out that DBI->parse_dsn is the wrong helper to parse our attributes in
+DSN, since in DBD::dr::connect only the "dbname" remains from DSN which causes
+parse_dsn to bailout.
+
+Parsing on our own similar to parse_dsn shows the way out.
+
+Signed-off-by: Jens Rehsack <sno@netbsd.org>
+---
+ lib/DBD/File.pm | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/lib/DBD/File.pm
++++ b/lib/DBD/File.pm
+@@ -109,7 +109,11 @@
+ # We do not (yet) care about conflicting attributes here
+ # my $dbh = DBI->connect ("dbi:CSV:f_dir=test", undef, undef, { f_dir => "text" });
+ # will test here that both test and text should exist
+- if (my $attr_hash = (DBI->parse_dsn ($dbname))[3]) {
++ #
++ # Parsing on our own similar to parse_dsn to find attributes in 'dbname' parameter.
++ if ($dbname) {
++ my @attrs = split /;/ => $dbname;
++ my $attr_hash = { map { split /\s*=>?\s*|\s*,\s*/, $_} @attrs };
+ if (defined $attr_hash->{f_dir} && ! -d $attr_hash->{f_dir}) {
+ my $msg = "No such directory '$attr_hash->{f_dir}";
+ $drh->set_err (2, $msg);
+@@ -120,7 +124,6 @@
+ if ($attr and defined $attr->{f_dir} && ! -d $attr->{f_dir}) {
+ my $msg = "No such directory '$attr->{f_dir}";
+ $drh->set_err (2, $msg);
+- $attr->{RaiseError} and croak $msg;
+ return;
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index 1b64514..f2bb032 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,5 @@ spelling.patch
CVE-2020-14392.patch
CVE-2020-14393.patch
CVE-2019-20919.patch
+t-51dbm_file.t-add-test-from-RT-99508.patch
+lib-DBD-File.pm-fix-CVE-2014-10401.patch
diff --git a/debian/patches/t-51dbm_file.t-add-test-from-RT-99508.patch b/debian/patches/t-51dbm_file.t-add-test-from-RT-99508.patch
new file mode 100644
index 0000000..a1a1085
--- /dev/null
+++ b/debian/patches/t-51dbm_file.t-add-test-from-RT-99508.patch
@@ -0,0 +1,55 @@
+From: Jens Rehsack <sno@netbsd.org>
+Date: Tue, 6 Oct 2020 08:23:55 +0200
+Subject: [1/2] t/51dbm_file.t: add test from RT#99508
+Origin: https://github.com/perl5-dbi/dbi/commit/27b10b5c3aacabc091046beaba478e671bb6111c
+Bug: https://github.com/perl5-dbi/dbi/pull/93
+Bug-Debian: https://bugs.debian.org/972180
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2014-10402
+
+Add test with f_dir="something-not-existing" as reported in RT#99508
+to verify when it's fixed for real.
+
+Signed-off-by: Jens Rehsack <sno@netbsd.org>
+---
+ t/51dbm_file.t | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/t/51dbm_file.t
++++ b/t/51dbm_file.t
+@@ -15,6 +15,27 @@
+
+ do "./t/lib.pl";
+
++{
++ # test issue reported in RT#99508
++ my @msg;
++ eval {
++ local $SIG{__DIE__} = sub { push @msg, @_ };
++ my $dbh = DBI->connect ("dbi:DBM:f_dir=./hopefully-doesnt-existst;sql_identifier_case=1;RaiseError=1");
++ };
++ like ("@msg", qr{.*hopefully-doesnt-existst.*}, "Cannot open from non-existing directory with attributes in DSN");
++
++ @msg = ();
++ eval {
++ local $SIG{__DIE__} = sub { push @msg, @_ };
++ my $dbh = DBI->connect ("dbi:DBM:", , undef, undef, {
++ f_dir => "./hopefully-doesnt-existst",
++ sql_identifier_case => 1,
++ RaiseError => 1,
++ });
++ };
++ like ("@msg", qr{.*hopefully-doesnt-existst}, "Cannot open from non-existing directory with attributes in HASH");
++}
++
+ my $dir = test_dir();
+
+ my $dbh = DBI->connect( 'dbi:DBM:', undef, undef, {
+@@ -23,6 +44,8 @@
+ }
+ );
+
++ok( $dbh, "Connect with driver attributes in hash" );
++
+ ok( $dbh->do(q/drop table if exists FRED/), 'drop table' );
+
+ my $dirfext = $^O eq 'VMS' ? '.sdbm_dir' : '.dir';
Reply to: