From 8852c46ab789b5202b0c90579d43875305e39ba2f1e08bacccb08fabc6ff46ae Mon Sep 17 00:00:00 2001 From: Dirk Stoecker Date: Wed, 4 Nov 2020 13:46:39 +0000 Subject: [PATCH] Accepting request 845974 from home:pmonrealgonzalez:branches:devel:languages:perl - Security fix [bsc#1176492, CVE-2014-10401, CVE-2014-10402] * DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). - Add perl-DBI-CVE-2014-10402.patch OBS-URL: https://build.opensuse.org/request/show/845974 OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/perl-DBI?expand=0&rev=63 --- cpanspec.yml | 5 +- perl-DBI-CVE-2014-10402.patch | 257 ++++++++++++++++++++++++++++++++++ perl-DBI.changes | 9 ++ perl-DBI.spec | 8 +- 4 files changed, 274 insertions(+), 5 deletions(-) create mode 100644 perl-DBI-CVE-2014-10402.patch diff --git a/cpanspec.yml b/cpanspec.yml index 804281e..d949c62 100644 --- a/cpanspec.yml +++ b/cpanspec.yml @@ -3,9 +3,8 @@ #no_testing: broken upstream sources: - perl-DBI.rpmlintrc -#patches: -# foo.patch: -p1 -# bar.patch: +patches: + perl-DBI-CVE-2014-10402.patch: -p1 #preamble: |- # BuildRequires: gcc-c++ #post_prep: |- diff --git a/perl-DBI-CVE-2014-10402.patch b/perl-DBI-CVE-2014-10402.patch new file mode 100644 index 0000000..0e84257 --- /dev/null +++ b/perl-DBI-CVE-2014-10402.patch @@ -0,0 +1,257 @@ +From 32398bff24f054f4e9b48b97ecb70ce72267296c Mon Sep 17 00:00:00 2001 +From: Jens Rehsack +Date: Tue, 6 Oct 2020 06:50:37 +0200 +Subject: [PATCH 1/3] DBD/File,DBI/DBD/SqlEngine: bump copyright year + +Bump copyright years for both since there has been done work in meantime ... +including intended f_dir= fix for CVE-2014-10401 + +Signed-off-by: Jens Rehsack +--- + lib/DBD/File.pm | 4 ++-- + lib/DBI/DBD/SqlEngine.pm | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/lib/DBD/File.pm b/lib/DBD/File.pm +index dd4312b..fb14e9a 100644 +--- a/lib/DBD/File.pm ++++ b/lib/DBD/File.pm +@@ -9,7 +9,7 @@ + # + # The original author is Jochen Wiedmann. + # +-# Copyright (C) 2009-2013 by H.Merijn Brand & Jens Rehsack ++# Copyright (C) 2009-2020 by H.Merijn Brand & Jens Rehsack + # Copyright (C) 2004 by Jeff Zucker + # Copyright (C) 1998 by Jochen Wiedmann + # +@@ -1430,7 +1430,7 @@ The original author is Jochen Wiedmann. + + =head1 COPYRIGHT AND LICENSE + +- Copyright (C) 2009-2013 by H.Merijn Brand & Jens Rehsack ++ Copyright (C) 2009-2020 by H.Merijn Brand & Jens Rehsack + Copyright (C) 2004-2009 by Jeff Zucker + Copyright (C) 1998-2004 by Jochen Wiedmann + +diff --git a/lib/DBI/DBD/SqlEngine.pm b/lib/DBI/DBD/SqlEngine.pm +index fb755ab..8e933f7 100644 +--- a/lib/DBI/DBD/SqlEngine.pm ++++ b/lib/DBI/DBD/SqlEngine.pm +@@ -9,7 +9,7 @@ + # + # The original author is Jochen Wiedmann. + # +-# Copyright (C) 2009-2013 by H.Merijn Brand & Jens Rehsack ++# Copyright (C) 2009-2020 by H.Merijn Brand & Jens Rehsack + # Copyright (C) 2004 by Jeff Zucker + # Copyright (C) 1998 by Jochen Wiedmann + # +@@ -2216,7 +2216,7 @@ The original authors are Jochen Wiedmann and Jeff Zucker. + + =head1 COPYRIGHT AND LICENSE + +- Copyright (C) 2009-2013 by H.Merijn Brand & Jens Rehsack ++ Copyright (C) 2009-2020 by H.Merijn Brand & Jens Rehsack + Copyright (C) 2004-2009 by Jeff Zucker + Copyright (C) 1998-2004 by Jochen Wiedmann + + +From 27b10b5c3aacabc091046beaba478e671bb6111c Mon Sep 17 00:00:00 2001 +From: Jens Rehsack +Date: Tue, 6 Oct 2020 08:23:55 +0200 +Subject: [PATCH 2/3] t/51dbm_file.t: add test from RT#99508 + +Add test with f_dir="something-not-existing" as reported in RT#99508 +to verify when it's fixed for real. + +Signed-off-by: Jens Rehsack +--- + t/51dbm_file.t | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/t/51dbm_file.t b/t/51dbm_file.t +index d9824cf..686a3d2 100644 +--- a/t/51dbm_file.t ++++ b/t/51dbm_file.t +@@ -15,6 +15,27 @@ use DBI; + + do "./t/lib.pl"; + ++{ ++ # test issue reported in RT#99508 ++ my @msg; ++ eval { ++ local $SIG{__DIE__} = sub { push @msg, @_ }; ++ my $dbh = DBI->connect ("dbi:DBM:f_dir=./hopefully-doesnt-existst;sql_identifier_case=1;RaiseError=1"); ++ }; ++ like ("@msg", qr{.*hopefully-doesnt-existst.*}, "Cannot open from non-existing directory with attributes in DSN"); ++ ++ @msg = (); ++ eval { ++ local $SIG{__DIE__} = sub { push @msg, @_ }; ++ my $dbh = DBI->connect ("dbi:DBM:", , undef, undef, { ++ f_dir => "./hopefully-doesnt-existst", ++ sql_identifier_case => 1, ++ RaiseError => 1, ++ }); ++ }; ++ like ("@msg", qr{.*hopefully-doesnt-existst}, "Cannot open from non-existing directory with attributes in HASH"); ++} ++ + my $dir = test_dir(); + + my $dbh = DBI->connect( 'dbi:DBM:', undef, undef, { +@@ -23,6 +44,8 @@ my $dbh = DBI->connect( 'dbi:DBM:', undef, undef, { + } + ); + ++ok( $dbh, "Connect with driver attributes in hash" ); ++ + ok( $dbh->do(q/drop table if exists FRED/), 'drop table' ); + + my $dirfext = $^O eq 'VMS' ? '.sdbm_dir' : '.dir'; + +From 19d0fb169eed475e1c053e99036b8668625cfa94 Mon Sep 17 00:00:00 2001 +From: Jens Rehsack +Date: Tue, 6 Oct 2020 10:22:17 +0200 +Subject: [PATCH 3/3] lib/DBD/File.pm: fix CVE-2014-10401 + +Dig into the root cause of RT#99508 - which resulted in CVE-2014-10401 - and +figure out that DBI->parse_dsn is the wrong helper to parse our attributes in +DSN, since in DBD::dr::connect only the "dbname" remains from DSN which causes +parse_dsn to bailout. + +Parsing on our own similar to parse_dsn shows the way out. + +Signed-off-by: Jens Rehsack +--- + lib/DBD/File.pm | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/lib/DBD/File.pm b/lib/DBD/File.pm +index fb14e9a..f55076f 100644 +--- a/lib/DBD/File.pm ++++ b/lib/DBD/File.pm +@@ -109,7 +109,11 @@ sub connect + # We do not (yet) care about conflicting attributes here + # my $dbh = DBI->connect ("dbi:CSV:f_dir=test", undef, undef, { f_dir => "text" }); + # will test here that both test and text should exist +- if (my $attr_hash = (DBI->parse_dsn ($dbname))[3]) { ++ # ++ # Parsing on our own similar to parse_dsn to find attributes in 'dbname' parameter. ++ if ($dbname) { ++ my @attrs = split /;/ => $dbname; ++ my $attr_hash = { map { split /\s*=>?\s*|\s*,\s*/, $_} @attrs }; + if (defined $attr_hash->{f_dir} && ! -d $attr_hash->{f_dir}) { + my $msg = "No such directory '$attr_hash->{f_dir}"; + $drh->set_err (2, $msg); +@@ -120,7 +124,6 @@ sub connect + if ($attr and defined $attr->{f_dir} && ! -d $attr->{f_dir}) { + my $msg = "No such directory '$attr->{f_dir}"; + $drh->set_err (2, $msg); +- $attr->{RaiseError} and croak $msg; + return; + } + +From c71b64a678bcd708c7b75ee2bef5a360c836444c Mon Sep 17 00:00:00 2001 +From: "H.Merijn Brand - Tux" +Date: Wed, 28 Oct 2020 15:57:17 +0100 +Subject: [PATCH] Document the new behavior for f_dir + +These changes also warrant a version increase +--- + lib/DBD/File.pm | 5 +++++ + 3 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/lib/DBD/File.pm b/lib/DBD/File.pm +index baffefa..afbff26 100644 +--- a/lib/DBD/File.pm ++++ b/lib/DBD/File.pm +@@ -1062,6 +1062,11 @@ directory) when the dbh attribute is set. + + f_dir => "/data/foo/csv", + ++If C is set to a non-existing location, the connection will fail. ++See CVE-2014-10401 for reasoning. Because of this, folders to use cannot ++be created after the connection, but must exist before the connection is ++initiated. ++ + See L. + + =head4 f_dir_search +From 89f0d4cd38b83f0ee426a5fdf7d1ad5ea371c883 Mon Sep 17 00:00:00 2001 +From: "H.Merijn Brand - Tux" +Date: Wed, 28 Oct 2020 15:03:48 +0100 +Subject: [PATCH] Fix for empty attributes in DSN + +dbm_type=SDBM_File;dbm_mldbm=;f_lockfile=.lck' + ^ +would result in + +Odd number of elements in anonymous hash +--- + lib/DBD/File.pm | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/DBD/File.pm b/lib/DBD/File.pm +index f55076f..baffefa 100644 +--- a/lib/DBD/File.pm ++++ b/lib/DBD/File.pm +@@ -112,8 +112,9 @@ sub connect + # + # Parsing on our own similar to parse_dsn to find attributes in 'dbname' parameter. + if ($dbname) { +- my @attrs = split /;/ => $dbname; +- my $attr_hash = { map { split /\s*=>?\s*|\s*,\s*/, $_} @attrs }; ++ my $attr_hash = { ++ map { (m/^\s* (\S+) \s*(?: =>? | , )\s* (\S*) \s*$/x) } ++ split m/;/ => $dbname }; + if (defined $attr_hash->{f_dir} && ! -d $attr_hash->{f_dir}) { + my $msg = "No such directory '$attr_hash->{f_dir}"; + $drh->set_err (2, $msg); +From 2eda0ec996d0a9357885acd442c72ac206adb7b3 Mon Sep 17 00:00:00 2001 +From: "H.Merijn Brand - Tux" +Date: Wed, 28 Oct 2020 15:09:01 +0100 +Subject: [PATCH] Catch warning + +--- + t/51dbm_file.t | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/t/51dbm_file.t b/t/51dbm_file.t +index 686a3d2..0ae910c 100644 +--- a/t/51dbm_file.t ++++ b/t/51dbm_file.t +@@ -18,21 +18,25 @@ do "./t/lib.pl"; + { + # test issue reported in RT#99508 + my @msg; +- eval { +- local $SIG{__DIE__} = sub { push @msg, @_ }; +- my $dbh = DBI->connect ("dbi:DBM:f_dir=./hopefully-doesnt-existst;sql_identifier_case=1;RaiseError=1"); ++ my $dbh = eval { ++ local $SIG{__WARN__} = sub { push @msg, @_ }; ++ local $SIG{__DIE__} = sub { push @msg, @_ }; ++ DBI->connect ("dbi:DBM:f_dir=./hopefully-doesnt-existst;sql_identifier_case=1;RaiseError=1"); + }; ++ is ($dbh, undef, "Connect failed"); + like ("@msg", qr{.*hopefully-doesnt-existst.*}, "Cannot open from non-existing directory with attributes in DSN"); + + @msg = (); +- eval { +- local $SIG{__DIE__} = sub { push @msg, @_ }; +- my $dbh = DBI->connect ("dbi:DBM:", , undef, undef, { ++ $dbh = eval { ++ local $SIG{__WARN__} = sub { push @msg, @_ }; ++ local $SIG{__DIE__} = sub { push @msg, @_ }; ++ DBI->connect ("dbi:DBM:", , undef, undef, { + f_dir => "./hopefully-doesnt-existst", + sql_identifier_case => 1, + RaiseError => 1, + }); + }; ++ is ($dbh, undef, "Connect failed"); + like ("@msg", qr{.*hopefully-doesnt-existst}, "Cannot open from non-existing directory with attributes in HASH"); + } + diff --git a/perl-DBI.changes b/perl-DBI.changes index 8628963..3dc8f03 100644 --- a/perl-DBI.changes +++ b/perl-DBI.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Tue Nov 3 16:29:26 UTC 2020 - Pedro Monreal + +- Security fix [bsc#1176492, CVE-2014-10401, CVE-2014-10402] + * DBD::File drivers can open files from folders other than those + specifically passed via the f_dir attribute in the data source + name (DSN). +- Add perl-DBI-CVE-2014-10402.patch + ------------------------------------------------------------------- Sat Feb 1 03:11:35 UTC 2020 - diff --git a/perl-DBI.spec b/perl-DBI.spec index a45be36..72c4253 100644 --- a/perl-DBI.spec +++ b/perl-DBI.spec @@ -1,7 +1,7 @@ # # spec file for package perl-DBI # -# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,10 +23,13 @@ Release: 0 Summary: Database independent interface for Perl License: Artistic-1.0 OR GPL-1.0-or-later Group: Development/Libraries/Perl -Url: https://metacpan.org/release/%{cpan_name} +URL: https://metacpan.org/release/%{cpan_name} Source0: https://cpan.metacpan.org/authors/id/T/TI/TIMB/%{cpan_name}-%{version}.tar.gz Source1: perl-DBI.rpmlintrc Source2: cpanspec.yml +# MANUAL BEGIN +Patch0: perl-DBI-CVE-2014-10402.patch +# MANUAL END BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: perl BuildRequires: perl-macros @@ -52,6 +55,7 @@ and perlboot. %prep %setup -q -n %{cpan_name}-%{version} +%patch0 -p1 find . -type f ! -path "*/t/*" ! -name "*.pl" ! -path "*/bin/*" ! -path "*/script/*" ! -name "configure" -print0 | xargs -0 chmod 644 %build