[ubuntu-hardened] Fwd: Re: [USN-4503-1] Perl DBI module vulnerability

pali at cpan.org pali at cpan.org
Sat Oct 3 09:39:55 UTC 2020 

FYI

----- Forwarded message from pali at cpan.org -----

Hello Jonathan!

On Wednesday 16 September 2020 11:25:52 Jonathan Leffler wrote:
> I've not seen much (any?) traffic on this list recently.  Is this list
> still alive?
> 
> This message arrived from Canonical/Ubuntu about a fixed bug in DBI —
> numerous versions thereof (1.640, 1.634, 1.630, 1.616).
> 
> Is there a new release of DBI with the fix in place that I missed?
...
> Details:
> It was discovered that Perl DBI module incorrectly handled certain calls.
> An attacker could possibly use this issue to execute arbitrary code.
...
> References:
>   https://usn.ubuntu.com/4503-1
>   CVE-2020-14392
> 
> Package Information:
>   https://launchpad.net/ubuntu/+source/libdbi-perl/1.640-1ubuntu0.1

I looked at this page. There is "diff from 1.640-1 (in Debian) to
1.640-1ubuntu0.1" button where is diff what was introduced in that
updated Ubuntu DBI version. Link to that diff file:

http://launchpadlibrarian.net/497664016/libdbi-perl_1.640-1_1.640-1ubuntu0.1.diff.gz

And... I'm terrified from these things:

1) It is originally my code, backported from this commit:

https://github.com/perl5-dbi/dbi/commit/ea99b6aafb437db53c28fd40d5eafbe119cd66e1

And from Ubuntu description can be seen that it fixes some security
issue which even got assigned CVE. IIRC I was not able to trigger that
issue without modifying source code of DBD drivers. I was able only to
assign "undef" to $_ aliased in foreach loop and only undef specific
conditions and specially modified DBD::ODBC driver. So somebody in
Ubuntu was able and was too lazy to ask me or inform me?? Strange.

2) In description of my change (which is in above linked Ubuntu diff) is
written that same problem in in Perl's Encode module with a link to fix
for Encode module AND important, also reproducer how to smash C stack
from pure perl code (= reproducer for that issue).

https://github.com/dankogai/p5-encode/commit/31b34fcc0be8c359994f136e7c504e32fb26fbce

Why Ubuntu had not assigned CVE for above Encode issue and had not
backported fix for it? It is same issue, with one difference that there
is already code which can 100% trigger it.

3) That Ubuntu fix is INCOMPLETE, do nothing and is basically useless.
It does *NOT* fix issue which Ubuntu described in that USN or in CVE
description.

If you look at the code in that diff, it changes just C include file
Driver.xst. It does not affect, nor fix any compiled DBD driver.

So to apply that fix you first need to update that DBI include file
Driver.xst and then recompile every one DBD driver, as DBD drivers
during compilation create private copy of Driver.xst and compile it.

This is how DBI and DBD driver are building and after updating DBI
Driver.xst file, it is required to recompile every DBD driver. Otherwise
nothing would be changed.


So the result is that updated Ubuntu packages do not fix issue which
they describe in USN and CVE.

Feel free to report a new security issue to Ubuntu...

----- End forwarded message -----

More information about the ubuntu-hardened mailing list