oss-sec mailing list archives
CVE-2016-1246: Buffer overflow in DBD-mysql error reporting (Perl DBI module)
From: Florian Weimer <fw () deneb enyo de>
Date: Mon, 03 Oct 2016 19:19:11 +0200
When a reporting a variable bind error, DBD-mysql would try to construct the error message in a fixed-size buffer on the stack, possibly leading to arbitrary code execution. It depends on the application whether untrusted data is included in the error message. -D_FORTIFY_SOURCE=2 would catch this and turn the issue into a mere crash. Upstream commit: <https://github.com/perl5-dbi/DBD-mysql/commit/7c164a0c86cec6ee95df1d141e67b0e85dfdefd2> Upstream credits Pali Rohár with reporting and fixing this issue. Here is what I used to validate the patch: use strict; use warnings; use DBI; my $dbh = DBI->connect("DBI:mysql:mysql:", "root", "", { PrintError => 0, RaiseError => 1}); $dbh->do('CREATE TEMPORARY TABLE t (i INTEGER NOT NULL)'); $dbh->begin_work; my $st = $dbh->prepare('INSERT INTO t VALUES (?)'); $st->bind_param(1, 'X' x 64, DBI::SQL_INTEGER); $dbh->commit;
Current thread:
- CVE-2016-1246: Buffer overflow in DBD-mysql error reporting (Perl DBI module) Florian Weimer (Oct 03)