Debian Bug report logs - #661536
libdbd-pg-perl: CVE-2012-1151: Format string vulnerabilities in server error parsing

version graph

Package: src:libdbd-pg-perl; Maintainer for src:libdbd-pg-perl is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>;

Reported by: Dominic Hargreaves <dom@earth.li>

Date: Mon, 27 Feb 2012 21:33:01 UTC

Severity: grave

Tags: patch, security

Found in versions libdbd-pg-perl/2.18.1-1, libdbd-pg-perl/2.17.1-2

Fixed in versions libdbd-pg-perl/2.17.1-2+squeeze1, libdbd-pg-perl/2.19.0-1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://rt.cpan.org/Public/Bug/Display.html?id=75642

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#661536; Package src:libdbd-pg-perl. (Mon, 27 Feb 2012 21:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
New Bug report received and forwarded. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Mon, 27 Feb 2012 21:33:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: submit@bugs.debian.org
Subject: libdbd-pg-perl: FTBFS with hardening flags enabled: -Werror=format-security
Date: Mon, 27 Feb 2012 21:31:31 +0000
Source: libdbd-pg-perl
Severity: normal
Version: 2.18.1-1

With hardening flags enabled, this package FTBFS:

dbdimp.c: In function 'pg_warn':
dbdimp.c:331:4: error: format not a string literal and no format arguments [-Werror=format-security]
dbdimp.c: In function 'pg_st_prepare':
dbdimp.c:1534:4: error: format not a string literal and no format arguments [-Werror=format-security]
cc1: some warnings being treated as errors

(this is the first error of this type seen: it's possible that there
could be others once this is fixed).

A likely fix is to change croak(var) to croak("%s", var)[1], or similar.

Note that I haven't verified whether an externally-controlled string is
used; if so, it would be appropriate to upgrade this bug RC severity
with the security tag[2].

This was found during testing of perl 5.14.2-8 in experimental; however,
since that version was prepared, it has been decided not to export
those build flags in Config_heay.pl. Nevertheless, it is likely that at
some point, either in debhelper 9 or 10, the hardening flags will be
enabled for all perl modules.

Thanks,
Dominic.

[1] <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657853#92>
[2] <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657853#117>

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#661536; Package src:libdbd-pg-perl. (Fri, 09 Mar 2012 06:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Fri, 09 Mar 2012 06:36:04 GMT) Full text and rfc822 format available.

Message #10 received at 661536@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: Dominic Hargreaves <dom@earth.li>, 661536@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#661536: libdbd-pg-perl: FTBFS with hardening flags enabled: -Werror=format-security
Date: Fri, 9 Mar 2012 08:33:32 +0200
[Message part 1 (text/plain, inline)]
forwarded 661536 https://rt.cpan.org/Public/Bug/Display.html?id=75642
severity 661536 grave
tag 661536 security patch
found 661536 2.17.1-2
thanks

On Mon, Feb 27, 2012 at 09:31:31PM +0000, Dominic Hargreaves wrote:
> Source: libdbd-pg-perl
> Severity: normal
> Version: 2.18.1-1
> 
> With hardening flags enabled, this package FTBFS:
> 
> dbdimp.c: In function 'pg_warn':
> dbdimp.c:331:4: error: format not a string literal and no format arguments [-Werror=format-security]
> dbdimp.c: In function 'pg_st_prepare':
> dbdimp.c:1534:4: error: format not a string literal and no format arguments [-Werror=format-security]
> cc1: some warnings being treated as errors

These format strings can be injected by a malicious server,
so raising the severity. A DSA will be issued for squeeze.

I've just notified upstream via the RT ticket. Could somebody from the
pkg-perl team (I believe Dominic already volunteered) please prepare
updated packages (built with -sa for stable-security as this is new
there)?  Trivial patch attached.
-- 
Niko Tyni   ntyni@debian.org
[0001-Explicitly-warn-and-croak-with-controlled-format-str.patch (text/x-diff, attachment)]

Set Bug forwarded-to-address to 'https://rt.cpan.org/Public/Bug/Display.html?id=75642'. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Fri, 09 Mar 2012 06:36:05 GMT) Full text and rfc822 format available.

Severity set to 'grave' from 'normal' Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Fri, 09 Mar 2012 06:36:06 GMT) Full text and rfc822 format available.

Added tag(s) security and patch. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Fri, 09 Mar 2012 06:36:07 GMT) Full text and rfc822 format available.

Bug Marked as found in versions libdbd-pg-perl/2.17.1-2. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Fri, 09 Mar 2012 06:36:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#661536; Package src:libdbd-pg-perl. (Sat, 10 Mar 2012 07:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Sat, 10 Mar 2012 07:09:04 GMT) Full text and rfc822 format available.

Message #23 received at 661536@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: Dominic Hargreaves <dom@earth.li>, 661536@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#661536: libdbd-pg-perl: FTBFS with hardening flags enabled: -Werror=format-security
Date: Sat, 10 Mar 2012 09:07:56 +0200
retitle 661536 libdbd-pg-perl: CVE-2012-1151: Format string vulnerabilities in server error parsing
thanks

On Fri, Mar 09, 2012 at 08:33:32AM +0200, Niko Tyni wrote:
> forwarded 661536 https://rt.cpan.org/Public/Bug/Display.html?id=75642
> severity 661536 grave
> tag 661536 security patch
> found 661536 2.17.1-2
> thanks
> 
> On Mon, Feb 27, 2012 at 09:31:31PM +0000, Dominic Hargreaves wrote:
> > Source: libdbd-pg-perl
> > Severity: normal
> > Version: 2.18.1-1
> > 
> > With hardening flags enabled, this package FTBFS:
 
> These format strings can be injected by a malicious server,
> so raising the severity. A DSA will be issued for squeeze.

This is CVE-2012-1151.

http://seclists.org/oss-sec/2012/q1/609
-- 
Niko Tyni   ntyni@debian.org




Changed Bug title to 'libdbd-pg-perl: CVE-2012-1151: Format string vulnerabilities in server error parsing' from 'libdbd-pg-perl: FTBFS with hardening flags enabled: -Werror=format-security' Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Sat, 10 Mar 2012 07:09:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#661536; Package src:libdbd-pg-perl. (Sat, 10 Mar 2012 09:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Sat, 10 Mar 2012 09:51:06 GMT) Full text and rfc822 format available.

Message #30 received at 661536@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 661536@bugs.debian.org
Subject: Upload ready
Date: Sat, 10 Mar 2012 10:47:44 +0100
[Message part 1 (text/plain, inline)]
Hi

Ok. I have prepared a fix for stable and the upload for unstable. But it is
not yet pushed to git.

Regards
Salvatore
[Message part 2 (text/html, inline)]

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sat, 10 Mar 2012 13:06:06 GMT) Full text and rfc822 format available.

Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Sat, 10 Mar 2012 13:06:08 GMT) Full text and rfc822 format available.

Message #35 received at 661536-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 661536-close@bugs.debian.org
Subject: Bug#661536: fixed in libdbd-pg-perl 2.19.0-1
Date: Sat, 10 Mar 2012 13:03:29 +0000
Source: libdbd-pg-perl
Source-Version: 2.19.0-1

We believe that the bug you reported is fixed in the latest version of
libdbd-pg-perl, which is due to be installed in the Debian FTP archive:

libdbd-pg-perl_2.19.0-1.debian.tar.gz
  to main/libd/libdbd-pg-perl/libdbd-pg-perl_2.19.0-1.debian.tar.gz
libdbd-pg-perl_2.19.0-1.dsc
  to main/libd/libdbd-pg-perl/libdbd-pg-perl_2.19.0-1.dsc
libdbd-pg-perl_2.19.0-1_amd64.deb
  to main/libd/libdbd-pg-perl/libdbd-pg-perl_2.19.0-1_amd64.deb
libdbd-pg-perl_2.19.0.orig.tar.gz
  to main/libd/libdbd-pg-perl/libdbd-pg-perl_2.19.0.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 661536@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libdbd-pg-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 10 Mar 2012 10:16:46 +0100
Source: libdbd-pg-perl
Binary: libdbd-pg-perl
Architecture: source amd64
Version: 2.19.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libdbd-pg-perl - Perl DBI driver for the PostgreSQL database server
Closes: 661536
Changes: 
 libdbd-pg-perl (2.19.0-1) unstable; urgency=medium
 .
   * Team upload.
 .
   [ Ansgar Burchardt ]
   * debian/control: Convert Vcs-* fields to Git.
 .
   [ gregor herrmann ]
   * Remove debian/source/local-options; abort-on-upstream-changes and
     unapply-patches are default in dpkg-source since 1.16.1.
 .
   [ Salvatore Bonaccorso ]
   * Imported Upstream version 2.19.0
     + [SECURITY] CVE-2012-1151. Explicitly warn and croak with controlled
       format strings. (Closes: #661536).
   * Update debian/copyright information.
     Update format to copyright-format 1.0 as released together with Debian
     Policy 3.9.3.
     Update copyright years for upstream files.
   * Bump Debhelper compat level to 9.
     Adjust Build-Depends on debhelper to (>= 9).
   * Bump Standards-Version to 3.9.3
Checksums-Sha1: 
 03166670a3f41172768ad537d96e268c468f3cfa 2301 libdbd-pg-perl_2.19.0-1.dsc
 5551ae75f05fcb5011129025f9512e896e8f467e 234913 libdbd-pg-perl_2.19.0.orig.tar.gz
 7b7bb718a8fb93cb68bc35875f9a09aa41018d96 9962 libdbd-pg-perl_2.19.0-1.debian.tar.gz
 29f96afed55e6e71a20653e43005856eb63714c3 226618 libdbd-pg-perl_2.19.0-1_amd64.deb
Checksums-Sha256: 
 f16022179db59e01d000d978faaf24e8221386b331599b1aae1b6e8519a7983b 2301 libdbd-pg-perl_2.19.0-1.dsc
 9323c258932aee53cb009cad65201e69545306ce7cd0dc10d50974536519da39 234913 libdbd-pg-perl_2.19.0.orig.tar.gz
 678155bc4aa6e4d25c15623383c03251b562b97611ab74a24eb74dbcde0a709e 9962 libdbd-pg-perl_2.19.0-1.debian.tar.gz
 cf55a6a8c2925e9b8bba566c595199252b5db36696fd6753cca6d02d50aac24d 226618 libdbd-pg-perl_2.19.0-1_amd64.deb
Files: 
 129964ca0c757622a6de3dba1c066bc7 2301 perl optional libdbd-pg-perl_2.19.0-1.dsc
 835527686a1f91c50d1834e914d17094 234913 perl optional libdbd-pg-perl_2.19.0.orig.tar.gz
 f2fa83df929e5a1350f3e6f97d7932eb 9962 perl optional libdbd-pg-perl_2.19.0-1.debian.tar.gz
 7a73d5e0d284a651f42c0524ce09bab3 226618 perl optional libdbd-pg-perl_2.19.0-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPW00VAAoJEHidbwV/2GP+Hp0P/3nPV7uQCNNB4WpGfwpm+K/V
glRuC9M94sDbeSnyv4L+fqB986bSrsqkviEQzRxcvuBkMremLdbOxydQqKNrLFhy
XBSoi0dxkM1mK9cvU+GmhzK8vaaKQwCBaqkdvn+KKvZeX/4WUtXbuyqeCSt2aMgL
EdWaL3aRGmiaFXvqlOMT+XivGemcSwcxBzexVqBkfZc5cz9v+GXUl7vRvHi2EmTg
RNkwdwfVnv1wzrTOZM8aZUs3XXFFDZ6z1rY3c+B4SlYhQ+YJ9PKl77iT43oH/j0P
J7L7kHaTmR2UYcG5fS00qTvYwypyfSigaAcJXdEShrU47gW7qqDAGew1DEzpKvxG
3mHR0H9719BAb3H5Z+r5pRbLOpfsIXrGzbpdSiwXs+8rMoG0sOzhVaaGd2OKqY9q
irRXHDf8fl2vwifcNOnMzaeHIv+HIPo537eyifc2NhJQ//ppV0Sz9loKk1m/+N37
Em2fTb7wXK1mlAYoEN4qHqi/TOA+tJbIpGC97MUETo+wyfNr3LlwJCLGtFohs2m7
/omxrkeBDdA49bPsQ11hGen/nHOVW+Ak1wGLmoUfzLRntWARQopkM9KQTSS6dPa5
knMZfN/KRHUCUaVSkV/+yDgl0ijAcnaPlPFuGuXI1C+Z0f6cXCANm76iuIdtGfhb
llnF20h3g3VmORcqJ03z
=LIrf
-----END PGP SIGNATURE-----





Bug Marked as fixed in versions libdbd-pg-perl/2.17.1-2+squeeze1. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Sun, 11 Mar 2012 10:51:12 GMT) Full text and rfc822 format available.

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sun, 11 Mar 2012 23:51:08 GMT) Full text and rfc822 format available.

Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Sun, 11 Mar 2012 23:51:08 GMT) Full text and rfc822 format available.

Message #42 received at 661536-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 661536-close@bugs.debian.org
Subject: Bug#661536: fixed in libdbd-pg-perl 2.17.1-2+squeeze1
Date: Sun, 11 Mar 2012 23:47:09 +0000
Source: libdbd-pg-perl
Source-Version: 2.17.1-2+squeeze1

We believe that the bug you reported is fixed in the latest version of
libdbd-pg-perl, which is due to be installed in the Debian FTP archive:

libdbd-pg-perl_2.17.1-2+squeeze1.debian.tar.gz
  to main/libd/libdbd-pg-perl/libdbd-pg-perl_2.17.1-2+squeeze1.debian.tar.gz
libdbd-pg-perl_2.17.1-2+squeeze1.dsc
  to main/libd/libdbd-pg-perl/libdbd-pg-perl_2.17.1-2+squeeze1.dsc
libdbd-pg-perl_2.17.1-2+squeeze1_amd64.deb
  to main/libd/libdbd-pg-perl/libdbd-pg-perl_2.17.1-2+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 661536@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libdbd-pg-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 10 Mar 2012 09:38:13 +0100
Source: libdbd-pg-perl
Binary: libdbd-pg-perl
Architecture: source amd64
Version: 2.17.1-2+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libdbd-pg-perl - Perl DBI driver for the PostgreSQL database server
Closes: 661536
Changes: 
 libdbd-pg-perl (2.17.1-2+squeeze1) stable-security; urgency=high
 .
   * Add format-error.patch patch
     [SECURITY] CVE-2012-1151. Explicitly warn and croak with controlled
     format strings.
     Thanks to Niko Tyni <ntyni@debian.org> for the patch (Closes: #661536)
Checksums-Sha1: 
 9ab599ac289f6dc3327a04b193d4645e36518217 2421 libdbd-pg-perl_2.17.1-2+squeeze1.dsc
 9346e6937a1dcc27d7da6f8aeb3f897bd8b39332 231523 libdbd-pg-perl_2.17.1.orig.tar.gz
 a9238cf1c4b019b0985628a14ed76ace5b5798f0 9726 libdbd-pg-perl_2.17.1-2+squeeze1.debian.tar.gz
 5e4cb0901dfe9401c30c842eb596bbe0eb78e59c 226334 libdbd-pg-perl_2.17.1-2+squeeze1_amd64.deb
Checksums-Sha256: 
 c1e99715f2b49b6122aca64fe603dd305639804f26c4c7b78bf62dabb93376d8 2421 libdbd-pg-perl_2.17.1-2+squeeze1.dsc
 33dbcca1247a0784d9bcb4eaaf241835675e531ec4b7984f1f1b78016ac283fd 231523 libdbd-pg-perl_2.17.1.orig.tar.gz
 f6cdca0e175dc765f39be73ee817b8d3f7f938e0da2593e05b487d3d0d9c0632 9726 libdbd-pg-perl_2.17.1-2+squeeze1.debian.tar.gz
 cb9fbbe98d15750ee9d7cdf30cc1d9b2f51a527f3d01d159a3ba28ba5b608591 226334 libdbd-pg-perl_2.17.1-2+squeeze1_amd64.deb
Files: 
 9dfb255f1330fecf555da7a05e0da548 2421 perl optional libdbd-pg-perl_2.17.1-2+squeeze1.dsc
 96b24b29d876bbbcc7c194115917a2f0 231523 perl optional libdbd-pg-perl_2.17.1.orig.tar.gz
 928e773dd88a202ed41e128ab6c1cc7a 9726 perl optional libdbd-pg-perl_2.17.1-2+squeeze1.debian.tar.gz
 3e0acf7053fa6d2c228e37c778a0b64e 226334 perl optional libdbd-pg-perl_2.17.1-2+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPW1d4AAoJEHidbwV/2GP+yiIQALQ1+7DRXeEzsGMwu8UEZn4b
oMeAcBQCXq8UyYlRx1cWXhHkjCAVO6WnV3nrvQi/3/bU1DJhbphxJwn68Ra4HgNW
Prfy3y7Hf9on/cUnQThX9Xi5tZxMg29g4gB70XrIN/MRWu3rBG/gb+B6RuR1Vs7v
M5MzTripoZ5foGxomT2p0YIcNa8C0FZuHUtYuRFzOiTrg5OBk9C0T7Nz4LncLf2p
KREcpVQd8ES48WPkeDFQA9AjW/jOuB9x/CbiweIqHb+bwHvSbDNEa9FUQUDPjD5t
8cYP/JVPj5iHd4rkMAg5AE3VpwS5vk8711Q/G8kD8fpqPTYTqDtzbZ2IbfVkwfvc
+VNJTcxkKCrNvRpnbFmzZu0A8bTcM8cKsrJPJ/1CAb6Uh5R0DavxBB8W/6BuJT6c
YHDshUvIxgF15cmq1KPanqGPQIDdbmqv5+36OjBCCw9lGOgpHmU6sk0aU95tKNro
U8zs+phX+OEBp3tfCEvGIFp7gN3QgULS3BGANB3wqaewZ+lkWPLDhnwrnBtgJH6+
9RVqtLoNBp7MA0DXaU8Cxac4FZfVK68ZJ8/dTLBh28W0R/kvmYcENBNQ1UyZVR4K
qNTugiU/aSMp+VaLX4TfRLE0q7T6h6PVBcjyzfIangLEb2VLq7UtWjY78MeRh6zP
bU8J3vlkwl9/aWqoWLhC
=is0g
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 13 May 2012 07:40:08 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 21:09:20 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.