[ubuntu-hardened] Fwd: Re: [USN-4503-1] Perl DBI module vulnerability

Wed Oct 14 11:45:10 UTC 2020

Hi,

On 2020-10-03 5:39 a.m., pali at cpan.org wrote:
> FYI
> 
> ----- Forwarded message from pali at cpan.org -----
> 
> Hello Jonathan!
> 
> On Wednesday 16 September 2020 11:25:52 Jonathan Leffler wrote:
>> I've not seen much (any?) traffic on this list recently.  Is this list
>> still alive?
>>
>> This message arrived from Canonical/Ubuntu about a fixed bug in DBI —
>> numerous versions thereof (1.640, 1.634, 1.630, 1.616).
>>
>> Is there a new release of DBI with the fix in place that I missed?
> ...
>> Details:
>> It was discovered that Perl DBI module incorrectly handled certain calls.
>> An attacker could possibly use this issue to execute arbitrary code.
> ...
>> References:
>>   https://usn.ubuntu.com/4503-1
>>   CVE-2020-14392
>>
>> Package Information:
>>   https://launchpad.net/ubuntu/+source/libdbi-perl/1.640-1ubuntu0.1
> 
> I looked at this page. There is "diff from 1.640-1 (in Debian) to
> 1.640-1ubuntu0.1" button where is diff what was introduced in that
> updated Ubuntu DBI version. Link to that diff file:
> 
> http://launchpadlibrarian.net/497664016/libdbi-perl_1.640-1_1.640-1ubuntu0.1.diff.gz
> 
> And... I'm terrified from these things:
> 
> 1) It is originally my code, backported from this commit:
> 
> https://github.com/perl5-dbi/dbi/commit/ea99b6aafb437db53c28fd40d5eafbe119cd66e1
> 
> And from Ubuntu description can be seen that it fixes some security
> issue which even got assigned CVE. IIRC I was not able to trigger that
> issue without modifying source code of DBD drivers. I was able only to
> assign "undef" to $_ aliased in foreach loop and only undef specific
> conditions and specially modified DBD::ODBC driver. So somebody in
> Ubuntu was able and was too lazy to ask me or inform me?? Strange.

We did not assign the CVE for that issue. We plucked it out of Mitre's database,
and we used the same commit other distros used. Multiple distros have released
updates with that commit:

https://nvd.nist.gov/vuln/detail/CVE-2020-14392#vulnCurrentDescriptionTitle

> 
> 2) In description of my change (which is in above linked Ubuntu diff) is
> written that same problem in in Perl's Encode module with a link to fix
> for Encode module AND important, also reproducer how to smash C stack
> from pure perl code (= reproducer for that issue).
> 
> https://github.com/dankogai/p5-encode/commit/31b34fcc0be8c359994f136e7c504e32fb26fbce
> 
> Why Ubuntu had not assigned CVE for above Encode issue and had not
> backported fix for it? It is same issue, with one difference that there
> is already code which can 100% trigger it.

We overlooked that one. Perhaps it should get assigned a new CVE?

> 
> 3) That Ubuntu fix is INCOMPLETE, do nothing and is basically useless.
> It does *NOT* fix issue which Ubuntu described in that USN or in CVE
> description.

So are you saying the original commit is incomplete to fix that particular CVE,
or that that particular CVE should be rejected?

> 
> If you look at the code in that diff, it changes just C include file
> Driver.xst. It does not affect, nor fix any compiled DBD driver.
> 
> So to apply that fix you first need to update that DBI include file
> Driver.xst and then recompile every one DBD driver, as DBD drivers
> during compilation create private copy of Driver.xst and compile it.
> 
> This is how DBI and DBD driver are building and after updating DBI
> Driver.xst file, it is required to recompile every DBD driver. Otherwise
> nothing would be changed.
> 
> 
> So the result is that updated Ubuntu packages do not fix issue which
> they describe in USN and CVE.
> 

Thanks for the information.

Marc.

-- 
Marc Deslauriers
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/