Backport patch to fix CVE-2014-10402.
|
|
CVE: CVE-2014-10402
|
Upstream-Status: Backport [https://github.com/rehsack/dbi/commit/19d0fb1]
|
|
Ref:
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972180#12
|
|
Signed-off-by: Kai Kang <kai.kang@windriver.com>
|
|
|
From 19d0fb169eed475e1c053e99036b8668625cfa94 Mon Sep 17 00:00:00 2001
|
From: Jens Rehsack <sno@netbsd.org>
|
Date: Tue, 6 Oct 2020 10:22:17 +0200
|
Subject: [PATCH] lib/DBD/File.pm: fix CVE-2014-10401
|
|
Dig into the root cause of RT#99508 - which resulted in CVE-2014-10401 - and
|
figure out that DBI->parse_dsn is the wrong helper to parse our attributes in
|
DSN, since in DBD::dr::connect only the "dbname" remains from DSN which causes
|
parse_dsn to bailout.
|
|
Parsing on our own similar to parse_dsn shows the way out.
|
|
Signed-off-by: Jens Rehsack <sno@netbsd.org>
|
---
|
lib/DBD/File.pm | 7 +++++--
|
1 file changed, 5 insertions(+), 2 deletions(-)
|
|
diff --git a/lib/DBD/File.pm b/lib/DBD/File.pm
|
index fb14e9a..f55076f 100644
|
--- a/lib/DBD/File.pm
|
+++ b/lib/DBD/File.pm
|
@@ -109,7 +109,11 @@ sub connect
|
# We do not (yet) care about conflicting attributes here
|
# my $dbh = DBI->connect ("dbi:CSV:f_dir=test", undef, undef, { f_dir => "text" });
|
# will test here that both test and text should exist
|
- if (my $attr_hash = (DBI->parse_dsn ($dbname))[3]) {
|
+ #
|
+ # Parsing on our own similar to parse_dsn to find attributes in 'dbname' parameter.
|
+ if ($dbname) {
|
+ my @attrs = split /;/ => $dbname;
|
+ my $attr_hash = { map { split /\s*=>?\s*|\s*,\s*/, $_} @attrs };
|
if (defined $attr_hash->{f_dir} && ! -d $attr_hash->{f_dir}) {
|
my $msg = "No such directory '$attr_hash->{f_dir}";
|
$drh->set_err (2, $msg);
|
@@ -120,7 +124,6 @@ sub connect
|
if ($attr and defined $attr->{f_dir} && ! -d $attr->{f_dir}) {
|
my $msg = "No such directory '$attr->{f_dir}";
|
$drh->set_err (2, $msg);
|
- $attr->{RaiseError} and croak $msg;
|
return;
|
}
|
|
--
|
2.17.1
|
