http://bugzilla.opensuse.org/show_bug.cgi?id=1002626 Bug ID: 1002626 Summary: CVE-2016-1246: Buffer overflow in DBD-mysql error reporting (Perl DBI module) Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.1 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Reference: http://seclists.org/oss-sec/2016/q4/13 ================================================= When a reporting a variable bind error, DBD-mysql would try to construct the error message in a fixed-size buffer on the stack, possibly leading to arbitrary code execution. It depends on the application whether untrusted data is included in the error message. -D_FORTIFY_SOURCE=2 would catch this and turn the issue into a mere crash. Upstream commit: <https://github.com/perl5-dbi/DBD-mysql/commit/7c164a0c86cec6ee95df1d141e67b0e85dfdefd2> Upstream credits Pali Rohár with reporting and fixing this issue. Here is what I used to validate the patch: use strict; use warnings; use DBI; my $dbh = DBI->connect("DBI:mysql:mysql:", "root", "", { PrintError => 0, RaiseError => 1}); $dbh->do('CREATE TEMPORARY TABLE t (i INTEGER NOT NULL)'); $dbh->begin_work; my $st = $dbh->prepare('INSERT INTO t VALUES (?)'); $st->bind_param(1, 'X' x 64, DBI::SQL_INTEGER); $dbh->commit; ================================================= -- You are receiving this mail because: You are on the CC list for the bug.