| Summary: | perl-DBD-Firebird new security issue fixed upstream in 1.19 (CVE-2015-2788) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | mageia, shlomif, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/640168/ | ||
| Whiteboard: | MGA4-64-OK has_procedure MGA4-32-OK advisory | ||
| Source RPM: | perl-DBD-Firebird-1.180.0-5.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-03-30 14:00:34 CEST
David Walser
2015-03-30 14:00:45 CEST
CC:
(none) =>
mageia CVE-2015-2788 has been assigned: http://openwall.com/lists/oss-security/2015/03/30/10 Summary:
perl-DBD-Firebird new security issue fixed upstream in 1.19 =>
perl-DBD-Firebird new security issue fixed upstream in 1.19 (CVE-2015-2788) 1.19 is waiting to be submitted into cauldron. I'm not sure how to test this update. I checked that the patch was applied and the tests passed. Updated packages in core/updates_testing: ======================== perl-DBD-Firebird-1.150.0-2.1.mga4 Source RPM: perl-DBD-Firebird-1.150.0-2.1.mga4.src.rpm 1.19 submitted successfully. It would be nice if someone could help with the advisory. Hardware:
i586 =>
All Thanks Sander! Advisory: ======================== Updated perl-DBD-Firebird packages fix security vulnerability: The DBD::Firebird perl module before 1.19 is vulnerable to buffer overflows in dbdimp.c (CVE-2015-2788). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2788 http://openwall.com/lists/oss-security/2015/03/30/10 Debian has issued an advisory for this on April 11: https://www.debian.org/security/2015/dsa-3219 Advisory: ======================== Updated perl-DBD-Firebird packages fix security vulnerability: Stefan Roas discovered a way to cause a buffer overflow in DBD::FireBird in certain error conditions, due to the use of the sprintf() function to write to a fixed-size memory buffer (CVE-2015-2788). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2788 https://www.debian.org/security/2015/dsa-3219 URL:
(none) =>
http://lwn.net/Vulnerabilities/640168/ I tested this update using the procedure at https://bugs.mageia.org/show_bug.cgi?id=14726#c6 followed by running this Perl script before and after the upgrade to the package from core/updates_testing: <<<< use strict; use warnings; use DBI; my $dbh = DBI->connect('dbi:Firebird:db=employee' , 'SYSDBA' ,'masterkey'); my $sth = $dbh->prepare('SELECT * FROM t'); $sth->execute(); while (my $aref = $sth->fetchrow_arrayref) { print "Got: @$aref\n"; } >>>> Everything was working fine. Tested on i586 and x86-64 VBox VMs. CC:
(none) =>
shlomif Nice job Shlomi Validating. Advisory uploaded. Please push to 4 updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0159.html Status:
NEW =>
RESOLVED |