| Summary: | perl-DBD-Pg new security issue CVE-2012-1151 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | jquelin, stormi-mageia, sysadmin-bugs, tmb |
| Version: | 1 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/486225/ | ||
| Whiteboard: | has_procedure MGA1-64-OK MGA1-32-OK | ||
| Source RPM: | perl-DBD-Pg-2.18.1-2.mga2.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2012-07-26 13:49:55 CEST
David Walser
2012-07-26 13:50:13 CEST
CC:
(none) =>
jquelin The version we have in Cauldron is not affected. Version:
Cauldron =>
2 This is already fixed in Mageia 2. Version:
2 =>
1 Patched package uploaded for Mageia 1. Advisory: ======================== Updated perl-DBD-Pg package fixes security vulnerability: Two format string flaws were found in the way perl-DBD-Pg. A rogue server could provide a specially-crafted database warning or specially-crafted DBD statement, which once processed by the perl-DBD-Pg interface would lead to perl-DBD-Pg based process crash (CVE-2012-1151). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1151 http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:112 ======================== Updated packages in core/updates_testing: ======================== perl-DBD-Pg-2.18.0-1.1.mga1 from perl-DBD-Pg-2.18.0-1.1.mga1.src.rpm Assignee:
bugsquad =>
qa-bugs
David Walser
2012-07-26 22:52:45 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/486225/ thank you for taking time to do the update. i'm on vacation and do not look my mails on a regular basis. Just testing the package still works.
Testing complete on Mageia 1 64 bits using the following procedure. Jérôme, if you have any comment about the way I tested, please tell :)
--- Installation ---
urpmi perl-DBD-Pg --search-media "Updates Testing"
urpmi postgresql9.0 postgresql9.0-server
--- Create a test database ---
su -l postgres -c "psql"
postgres=# drop database if exists qatest;
postgres=# create database qatest;
CREATE DATABASE
postgres=# \c qatest;
You are now connected to database "qatest".
qatest=# create table qatest_table (id INT, caption VARCHAR);
CREATE TABLE
qatest=# \d qatest_table
Table "public.qatest_table"
Column | Type | Modifiers
---------+-------------------+-----------
id | integer |
caption | character varying |
qatest=# insert into qatest_table values (1, 'mageia'), (2, 'QA');
INSERT 0 2
qatest=# \q
--- Start perl in interactive debug mode to test DBI ---
perl -d -e 1
Then inside the debugger:
use DBI
$dbh = DBI->connect ( "dbi:Pg:dbname=qatest", "postgres", "")
print defined($dbh) #must print "1"
$sth = $dbh->prepare("SELECT * FROM qatest_table")
$sth->execute()
print $sth->fetchrow() #displays "1mageia"
print $sth->fetchrow() #displays "2QA"CC:
(none) =>
stormi
Samuel Verschelde
2012-07-28 17:38:43 CEST
Whiteboard:
(none) =>
has_procedure MGA1-64-OK Testing complete on Mageia 1 32 bits, and procedure added to the wiki: https://wiki.mageia.org/en/QA_procedure:Perl-dbd-pg Update validated. No linking required. Thanks! See comment #3 for advisory and packages. Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0187 Status:
NEW =>
RESOLVED |