Re: [USN-4503-1] Perl DBI module vulnerability

2020-09-21 Thread pali 
Hello Jonathan!

On Wednesday 16 September 2020 11:25:52 Jonathan Leffler wrote:
> I've not seen much (any?) traffic on this list recently.  Is this list
> still alive?
> 
> This message arrived from Canonical/Ubuntu about a fixed bug in DBI —
> numerous versions thereof (1.640, 1.634, 1.630, 1.616).
> 
> Is there a new release of DBI with the fix in place that I missed?
...
> Details:
> It was discovered that Perl DBI module incorrectly handled certain calls.
> An attacker could possibly use this issue to execute arbitrary code.
...
> References:
>   https://usn.ubuntu.com/4503-1
>   CVE-2020-14392
> 
> Package Information:
>   https://launchpad.net/ubuntu/+source/libdbi-perl/1.640-1ubuntu0.1

I looked at this page. There is "diff from 1.640-1 (in Debian) to
1.640-1ubuntu0.1" button where is diff what was introduced in that
updated Ubuntu DBI version. Link to that diff file:

http://launchpadlibrarian.net/497664016/libdbi-perl_1.640-1_1.640-1ubuntu0.1.diff.gz

And... I'm terrified from these things:

1) It is originally my code, backported from this commit:

https://github.com/perl5-dbi/dbi/commit/ea99b6aafb437db53c28fd40d5eafbe119cd66e1

And from Ubuntu description can be seen that it fixes some security
issue which even got assigned CVE. IIRC I was not able to trigger that
issue without modifying source code of DBD drivers. I was able only to
assign "undef" to $_ aliased in foreach loop and only undef specific
conditions and specially modified DBD::ODBC driver. So somebody in
Ubuntu was able and was too lazy to ask me or inform me?? Strange.

2) In description of my change (which is in above linked Ubuntu diff) is
written that same problem in in Perl's Encode module with a link to fix
for Encode module AND important, also reproducer how to smash C stack
from pure perl code (= reproducer for that issue).

https://github.com/dankogai/p5-encode/commit/31b34fcc0be8c359994f136e7c504e32fb26fbce

Why Ubuntu had not assigned CVE for above Encode issue and had not
backported fix for it? It is same issue, with one difference that there
is already code which can 100% trigger it.

3) That Ubuntu fix is INCOMPLETE, do nothing and is basically useless.
It does *NOT* fix issue which Ubuntu described in that USN or in CVE
description.

If you look at the code in that diff, it changes just C include file
Driver.xst. It does not affect, nor fix any compiled DBD driver.

So to apply that fix you first need to update that DBI include file
Driver.xst and then recompile every one DBD driver, as DBD drivers
during compilation create private copy of Driver.xst and compile it.

This is how DBI and DBD driver are building and after updating DBI
Driver.xst file, it is required to recompile every DBD driver. Otherwise
nothing would be changed.


So the result is that updated Ubuntu packages do not fix issue which
they describe in USN and CVE.

Feel free to report a new security issue to Ubuntu...

Re: [USN-4503-1] Perl DBI module vulnerability

2020-09-17 Thread Jonathan Leffler 
Ok, thanks, Tim.

On Thu, Sep 17, 2020 at 11:11 Tim Bunce  wrote:

> I've not seen much (any?) traffic on this list recently.  Is this list
> still alive?
>
>
> The DBI is very, um, stable.
>
> Is there a new release of DBI with the fix in place that I missed?
>
>
> Yes, 1.643. It's not made very clear though.
>
> CVE-2020-14392
>  
> says
> "An untrusted pointer dereference flaw was found in Perl-DBI < 1.643" (note
> the "<")
>
> The changes  for the 1.643
> release include several fixes from Pali and Petr. (Thanks!)
>
> Tim.
>
> On 16 Sep 2020, at 18:25, Jonathan Leffler 
> wrote:
>
> I've not seen much (any?) traffic on this list recently.  Is this list
> still alive?
>
> This message arrived from Canonical/Ubuntu about a fixed bug in DBI —
> numerous versions thereof (1.640, 1.634, 1.630, 1.616).
>
> Is there a new release of DBI with the fix in place that I missed?
>
>
> -- Forwarded message -
> From: Leonidas S. Barbosa 
> Date: Wed, Sep 16, 2020 at 8:15 AM
> Subject: [USN-4503-1] Perl DBI module vulnerability
> To: 
>
>
> ==
>
>
> Ubuntu Security Notice USN-4503-1
>
>
> September 16, 2020
>
>
>
>
>
> libdbi-perl vulnerability
>
>
> ==
>
>
>
>
>
> A security issue affects these releases of Ubuntu and its derivatives:
>
>
>
>
>
> - Ubuntu 18.04 LTS
>
>
> - Ubuntu 16.04 LTS
>
>
> - Ubuntu 14.04 ESM
>
>
> - Ubuntu 12.04 ESM
>
>
>
>
>
> Summary:
>
>
>
>
>
> Perl DBI module could be made to execute arbitrary code if it received a
>
>
> specially manipulated call.
>
>
>
>
>
> Software Description:
>
>
> - libdbi-perl: Perl Database Interface (DBI)
>
>
>
>
>
> Details:
>
>
>
>
>
> It was discovered that Perl DBI module incorrectly handled certain calls.
>
>
> An attacker could possibly use this issue to execute arbitrary code.
>
>
>
>
>
> Update instructions:
>
>
>
>
>
> The problem can be corrected by updating your system to the following
>
>
> package versions:
>
>
>
>
>
> Ubuntu 18.04 LTS:
>
>
>   libdbi-perl 1.640-1ubuntu0.1
>
>
>
>
>
> Ubuntu 16.04 LTS:
>
>
>   libdbi-perl 1.634-1ubuntu0.1
>
>
>
>
>
> Ubuntu 14.04 ESM:
>
>
>   libdbi-perl 1.630-1ubuntu0.1~esm1
>
>
>
>
>
> Ubuntu 12.04 ESM:
>
>
>   libdbi-perl 1.616-1ubuntu0.1
>
>
>
>
>
> In general, a standard system update will make all the necessary changes.
>
>
>
>
>
> References:
>
>
>   https://usn.ubuntu.com/4503-1
>
>
>   CVE-2020-14392
>
>
>
>
>
> Package Information:
>
>
>   https://launchpad.net/ubuntu/+source/libdbi-perl/1.640-1ubuntu0.1
>
>
>   https://launchpad.net/ubuntu/+source/libdbi-perl/1.634-1ubuntu0.1
>
>
> --
>
>
> ubuntu-security-announce mailing list
>
>
> ubuntu-security-annou...@lists.ubuntu.com
>
>
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
>
>
>
>
> --
> Jonathan Leffler   #include 
> Guardian of DBD::Informix - v2018.1031 - http://dbi.perl.org
> "Blessed are we who can laugh at ourselves, for we shall never cease to be
> amused."
>
>
> 
>
>
> --
Jonathan Leffler   #include 
Guardian of DBD::Informix - v2018.1031 - http://dbi.perl.org
"Blessed are we who can laugh at ourselves, for we shall never cease to be
amused."

Re: [USN-4503-1] Perl DBI module vulnerability

2020-09-17 Thread Tim Bunce 
> I've not seen much (any?) traffic on this list recently.  Is this list still 
> alive?

The DBI is very, um, stable.

> Is there a new release of DBI with the fix in place that I missed?

Yes, 1.643. It's not made very clear though.

CVE-2020-14392 
 
says "An untrusted pointer dereference flaw was found in Perl-DBI < 1.643" 
(note the "<")

The changes  for the 1.643 
release include several fixes from Pali and Petr. (Thanks!)

Tim.

> On 16 Sep 2020, at 18:25, Jonathan Leffler  wrote:
> 
> I've not seen much (any?) traffic on this list recently.  Is this list still 
> alive?
> 
> This message arrived from Canonical/Ubuntu about a fixed bug in DBI — 
> numerous versions thereof (1.640, 1.634, 1.630, 1.616).
> 
> Is there a new release of DBI with the fix in place that I missed?
> 
> 
> -- Forwarded message -
> From: Leonidas S. Barbosa  >
> Date: Wed, Sep 16, 2020 at 8:15 AM
> Subject: [USN-4503-1] Perl DBI module vulnerability
> To:  >
> 
> 
> ==
> Ubuntu Security Notice USN-4503-1
> September 16, 2020
> 
> libdbi-perl vulnerability
> ==
> 
> A security issue affects these releases of Ubuntu and its derivatives:
> 
> - Ubuntu 18.04 LTS
> - Ubuntu 16.04 LTS
> - Ubuntu 14.04 ESM
> - Ubuntu 12.04 ESM
> 
> Summary:
> 
> Perl DBI module could be made to execute arbitrary code if it received a
> specially manipulated call.
> 
> Software Description:
> - libdbi-perl: Perl Database Interface (DBI)
> 
> Details:
> 
> It was discovered that Perl DBI module incorrectly handled certain calls.
> An attacker could possibly use this issue to execute arbitrary code.
> 
> Update instructions:
> 
> The problem can be corrected by updating your system to the following
> package versions:
> 
> Ubuntu 18.04 LTS:
>   libdbi-perl 1.640-1ubuntu0.1
> 
> Ubuntu 16.04 LTS:
>   libdbi-perl 1.634-1ubuntu0.1
> 
> Ubuntu 14.04 ESM:
>   libdbi-perl 1.630-1ubuntu0.1~esm1
> 
> Ubuntu 12.04 ESM:
>   libdbi-perl 1.616-1ubuntu0.1
> 
> In general, a standard system update will make all the necessary changes.
> 
> References:
>   https://usn.ubuntu.com/4503-1 
>   CVE-2020-14392
> 
> Package Information:
>   https://launchpad.net/ubuntu/+source/libdbi-perl/1.640-1ubuntu0.1 
> 
>   https://launchpad.net/ubuntu/+source/libdbi-perl/1.634-1ubuntu0.1 
> 
> -- 
> ubuntu-security-announce mailing list
> ubuntu-security-annou...@lists.ubuntu.com 
> 
> Modify settings or unsubscribe at: 
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce 
> 
> 
> 
> -- 
> Jonathan Leffler  >  #include 
> Guardian of DBD::Informix - v2018.1031 - http://dbi.perl.org 
> 
> "Blessed are we who can laugh at ourselves, for we shall never cease to be 
> amused."
>