Source: libdbi-perl
Version: 1.649-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for libdbi-perl.

CVE-2026-14380[0]:
| DBI versions before 1.650 for Perl are vulnerable to code injection
| via caller-influenced Profile.  When a string is assigned to a DBI
| handle's Profile attribute, DBI splits it into path, package and
| arguments, and interpolates the package part in a string eval with
| no validation of the package name.  Any caller-influenced value that
| reaches the Profile attribute is therefore arbitrary Perl code
| execution, including calls to run system commands.  The Profile
| attribute can be set from three different sources that can carry
| untrusted data: the DBI_PROFILE environment variable, a direct
| attribute assignment, and a DSN driver-attribute clause
| dbi:Driver(Profile=>SPEC):db.  An attacker controlling any of those
| inputs runs arbitrary Perl in the host process. The strongest remote
| position is a network-exposed DBI::Gofer / DBI::ProxyServer whose
| per-request DSN reaches the Profile attribute, letting a client
| execute code on the broker host.


CVE-2026-14739[1]:
| DBI versions before 1.650 for Perl have a heap overflow when
| preparsing SQL statements with an extreme number of placeholders.
| The fix for CVE-2026-10879 did not allocate enough memory to handle
| approximately 1.2-million placeholders.  DBI version 1.650 sets a
| hard limit of 99,999 placeholders.


CVE-2026-14740[2]:
| DBI versions before 1.650 for Perl read one byte out-of-bounds in
| preparse when deleting an initial SQL comment.  The preparse method
| normalises SQL and removes comments. When the SQL starts with a
| comment line, the deletion of that line during normalisation led to
| an out-of-bounds read by one byte. The result is a fault on memory-
| hardened builds and nondeterministic newline retention on normal
| builds.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-14380
    https://www.cve.org/CVERecord?id=CVE-2026-14380
[1] https://security-tracker.debian.org/tracker/CVE-2026-14739
    https://www.cve.org/CVERecord?id=CVE-2026-14739
[2] https://security-tracker.debian.org/tracker/CVE-2026-14740
    https://www.cve.org/CVERecord?id=CVE-2026-14740

Regards,
Salvatore

Reply via email to