Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 732636 (CVE-2020-14392, CVE-2020-14393) - <dev-perl/DBI-1.643.0: Multiple vulnerabilities (CVE-2020-{14392,14392})
Summary: <dev-perl/DBI-1.643.0: Multiple vulnerabilities (CVE-2020-{14392,14392})
Status: RESOLVED FIXED
Alias: CVE-2020-14392, CVE-2020-14393
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-14 21:14 UTC by Sam James
Modified: 2020-09-14 12:57 UTC (History)
2 users (show)

See Also:
Package list:
=dev-perl/DBI-1.643.0
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James gentoo-dev Security 2020-07-14 21:14:38 UTC
From https://gitweb.gentoo.org/repo/gentoo.git/commit?id=af84e8ca90c3e93ff5a3ef7c07ea98099171b0cf:

"Upstream:
...
- Fix memory corruption in XS functions when Perl stack is reallocated
...
- Fix a potential NULL profile deref in dbi_profile()
- Fix a buffer overflow on an overlong DBD class name"

It's not clear how exploitable either of these are, though.
Comment 2 Sam James gentoo-dev Security 2020-08-05 18:13:21 UTC
ping, ready to stable?
Comment 3 Sam James gentoo-dev Security 2020-08-11 08:33:30 UTC
(In reply to Sam James from comment #2)
> ping, ready to stable?

ping
Comment 4 Sam James gentoo-dev Security 2020-08-12 09:53:41 UTC
arm done
Comment 5 Sam James gentoo-dev Security 2020-08-12 09:56:11 UTC
arm64 done
Comment 6 Sam James gentoo-dev Security 2020-08-12 11:42:58 UTC
sparc done
Comment 7 Sam James gentoo-dev Security 2020-08-14 23:08:08 UTC
x86 done
Comment 8 Sam James gentoo-dev Security 2020-08-15 00:19:21 UTC
amd64 done
Comment 9 Agostino Sarubbo gentoo-dev 2020-08-16 14:47:54 UTC
s390 stable
Comment 10 Sam James gentoo-dev Security 2020-08-29 18:21:47 UTC
ppc done
Comment 11 Sam James gentoo-dev Security 2020-08-30 18:32:41 UTC
ppc64 done
Comment 12 Sergei Trofimovich gentoo-dev 2020-09-06 08:17:15 UTC
hppa stable
Comment 13 Sam James gentoo-dev Security 2020-09-06 14:21:19 UTC
Please cleanup.
Comment 14 Larry the Git Cow gentoo-dev 2020-09-07 09:28:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c4d23001a888798c23a4333aaf36bbef5121f51

commit 3c4d23001a888798c23a4333aaf36bbef5121f51
Author:     Kent Fredric <kentnl@gentoo.org>
AuthorDate: 2020-09-07 09:28:02 +0000
Commit:     Kent Fredric <kentnl@gentoo.org>
CommitDate: 2020-09-07 09:28:02 +0000

    dev-perl/DBI: Cleanup old 1.637.0 re bug #732636
    
    Bug: https://bugs.gentoo.org/732636
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Kent Fredric <kentnl@gentoo.org>

 dev-perl/DBI/DBI-1.637.0.ebuild | 37 -------------------------------------
 dev-perl/DBI/Manifest           |  1 -
 2 files changed, 38 deletions(-)
Comment 15 Sam James gentoo-dev Security 2020-09-07 16:36:44 UTC
thanks!
Comment 16 Thomas Deutschmann gentoo-dev Security 2020-09-13 21:52:11 UTC
New GLSA request filed.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2020-09-13 23:41:18 UTC
This issue was resolved and addressed in
 GLSA 202009-07 at https://security.gentoo.org/glsa/202009-07
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 18 Kent Fredric (IRC: kent\n) gentoo-dev 2020-09-14 02:46:02 UTC
(In reply to GLSAMaker/CVETool Bot from comment #17)
> This issue was resolved and addressed in
>  GLSA 202009-07 at https://security.gentoo.org/glsa/202009-07
> by GLSA coordinator Thomas Deutschmann (whissi).

Just going to point out, that currently, none of the linked CVE entries have any data presented. NVD just says "CVE ID Not Found".

I don't even know how these ID's were discovered :(

But it just means the statement presented at https://security.gentoo.org/glsa/202009-07 

Of: 

> Please review the referenced CVE identifiers for details.

Is pretty much useless in this context.
Comment 19 Thomas Deutschmann gentoo-dev Security 2020-09-14 12:57:03 UTC
That's a flaw in CVE progress. The CNA who assigned the CVE has to publish the data which didn't happen yet. The following information is currently awaiting publication:


CVE-2020-14392:

An untrusted pointer dereference flaw was found in Perl-DBI < 1.643. A local attacker who is able to manipulate calls to dbd_db_login6_sv() could cause memory corruption, affecting the service's availability.


CVE-2020-14393:

A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data.