Summary: | <dev-perl/DBI-1.643.0: Multiple vulnerabilities (CVE-2020-{14392,14392}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | kentnl, perl |
Priority: | Normal | Flags: | nattka:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa+ cve] | ||
Package list: |
=dev-perl/DBI-1.643.0
|
Runtime testing required: | --- |
Description
Sam James
2020-07-14 21:14:38 UTC
https://metacpan.org/source/TIMB/DBI-1.643/Changes#L11-12 https://github.com/perl5-dbi/dbi/pull/85 https://metacpan.org/source/TIMB/DBI-1.643/Changes#L19-20 https://github.com/perl5-dbi/dbi/pull/84 https://metacpan.org/source/TIMB/DBI-1.643/Changes#L21-22 https://github.com/perl5-dbi/dbi/pull/83 ping, ready to stable? (In reply to Sam James from comment #2) > ping, ready to stable? ping arm done arm64 done sparc done x86 done amd64 done s390 stable ppc done ppc64 done hppa stable Please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c4d23001a888798c23a4333aaf36bbef5121f51 commit 3c4d23001a888798c23a4333aaf36bbef5121f51 Author: Kent Fredric <kentnl@gentoo.org> AuthorDate: 2020-09-07 09:28:02 +0000 Commit: Kent Fredric <kentnl@gentoo.org> CommitDate: 2020-09-07 09:28:02 +0000 dev-perl/DBI: Cleanup old 1.637.0 re bug #732636 Bug: https://bugs.gentoo.org/732636 Package-Manager: Portage-3.0.4, Repoman-3.0.1 Signed-off-by: Kent Fredric <kentnl@gentoo.org> dev-perl/DBI/DBI-1.637.0.ebuild | 37 ------------------------------------- dev-perl/DBI/Manifest | 1 - 2 files changed, 38 deletions(-) thanks! New GLSA request filed. This issue was resolved and addressed in GLSA 202009-07 at https://security.gentoo.org/glsa/202009-07 by GLSA coordinator Thomas Deutschmann (whissi). (In reply to GLSAMaker/CVETool Bot from comment #17) > This issue was resolved and addressed in > GLSA 202009-07 at https://security.gentoo.org/glsa/202009-07 > by GLSA coordinator Thomas Deutschmann (whissi). Just going to point out, that currently, none of the linked CVE entries have any data presented. NVD just says "CVE ID Not Found". I don't even know how these ID's were discovered :( But it just means the statement presented at https://security.gentoo.org/glsa/202009-07 Of: > Please review the referenced CVE identifiers for details. Is pretty much useless in this context. That's a flaw in CVE progress. The CNA who assigned the CVE has to publish the data which didn't happen yet. The following information is currently awaiting publication: CVE-2020-14392: An untrusted pointer dereference flaw was found in Perl-DBI < 1.643. A local attacker who is able to manipulate calls to dbd_db_login6_sv() could cause memory corruption, affecting the service's availability. CVE-2020-14393: A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data. |