Fwd: Re: [USN-4503-1] Perl DBI module vulnerability

Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: Re: [USN-4503-1] Perl DBI module vulnerability

pali
FYI

----- Forwarded message from [hidden email] -----

Hello Jonathan!

On Wednesday 16 September 2020 11:25:52 Jonathan Leffler wrote:
> I've not seen much (any?) traffic on this list recently.  Is this list
> still alive?
>
> This message arrived from Canonical/Ubuntu about a fixed bug in DBI —
> numerous versions thereof (1.640, 1.634, 1.630, 1.616).
>
> Is there a new release of DBI with the fix in place that I missed?
...
> Details:
> It was discovered that Perl DBI module incorrectly handled certain calls.
> An attacker could possibly use this issue to execute arbitrary code.
...
> References:
>   https://usn.ubuntu.com/4503-1
>   CVE-2020-14392
>
> Package Information:
>   https://launchpad.net/ubuntu/+source/libdbi-perl/1.640-1ubuntu0.1

I looked at this page. There is "diff from 1.640-1 (in Debian) to
1.640-1ubuntu0.1" button where is diff what was introduced in that
updated Ubuntu DBI version. Link to that diff file:

http://launchpadlibrarian.net/497664016/libdbi-perl_1.640-1_1.640-1ubuntu0.1.diff.gz

And... I'm terrified from these things:

1) It is originally my code, backported from this commit:

https://github.com/perl5-dbi/dbi/commit/ea99b6aafb437db53c28fd40d5eafbe119cd66e1

And from Ubuntu description can be seen that it fixes some security
issue which even got assigned CVE. IIRC I was not able to trigger that
issue without modifying source code of DBD drivers. I was able only to
assign "undef" to $_ aliased in foreach loop and only undef specific
conditions and specially modified DBD::ODBC driver. So somebody in
Ubuntu was able and was too lazy to ask me or inform me?? Strange.

2) In description of my change (which is in above linked Ubuntu diff) is
written that same problem in in Perl's Encode module with a link to fix
for Encode module AND important, also reproducer how to smash C stack
from pure perl code (= reproducer for that issue).

https://github.com/dankogai/p5-encode/commit/31b34fcc0be8c359994f136e7c504e32fb26fbce

Why Ubuntu had not assigned CVE for above Encode issue and had not
backported fix for it? It is same issue, with one difference that there
is already code which can 100% trigger it.

3) That Ubuntu fix is INCOMPLETE, do nothing and is basically useless.
It does *NOT* fix issue which Ubuntu described in that USN or in CVE
description.

If you look at the code in that diff, it changes just C include file
Driver.xst. It does not affect, nor fix any compiled DBD driver.

So to apply that fix you first need to update that DBI include file
Driver.xst and then recompile every one DBD driver, as DBD drivers
during compilation create private copy of Driver.xst and compile it.

This is how DBI and DBD driver are building and after updating DBI
Driver.xst file, it is required to recompile every DBD driver. Otherwise
nothing would be changed.


So the result is that updated Ubuntu packages do not fix issue which
they describe in USN and CVE.

Feel free to report a new security issue to Ubuntu...

----- End forwarded message -----

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Re: [USN-4503-1] Perl DBI module vulnerability

Marc Deslauriers-3
Hi,

On 2020-10-03 5:39 a.m., [hidden email] wrote:

> FYI
>
> ----- Forwarded message from [hidden email] -----
>
> Hello Jonathan!
>
> On Wednesday 16 September 2020 11:25:52 Jonathan Leffler wrote:
>> I've not seen much (any?) traffic on this list recently.  Is this list
>> still alive?
>>
>> This message arrived from Canonical/Ubuntu about a fixed bug in DBI —
>> numerous versions thereof (1.640, 1.634, 1.630, 1.616).
>>
>> Is there a new release of DBI with the fix in place that I missed?
> ...
>> Details:
>> It was discovered that Perl DBI module incorrectly handled certain calls.
>> An attacker could possibly use this issue to execute arbitrary code.
> ...
>> References:
>>   https://usn.ubuntu.com/4503-1
>>   CVE-2020-14392
>>
>> Package Information:
>>   https://launchpad.net/ubuntu/+source/libdbi-perl/1.640-1ubuntu0.1
>
> I looked at this page. There is "diff from 1.640-1 (in Debian) to
> 1.640-1ubuntu0.1" button where is diff what was introduced in that
> updated Ubuntu DBI version. Link to that diff file:
>
> http://launchpadlibrarian.net/497664016/libdbi-perl_1.640-1_1.640-1ubuntu0.1.diff.gz
>
> And... I'm terrified from these things:
>
> 1) It is originally my code, backported from this commit:
>
> https://github.com/perl5-dbi/dbi/commit/ea99b6aafb437db53c28fd40d5eafbe119cd66e1
>
> And from Ubuntu description can be seen that it fixes some security
> issue which even got assigned CVE. IIRC I was not able to trigger that
> issue without modifying source code of DBD drivers. I was able only to
> assign "undef" to $_ aliased in foreach loop and only undef specific
> conditions and specially modified DBD::ODBC driver. So somebody in
> Ubuntu was able and was too lazy to ask me or inform me?? Strange.

We did not assign the CVE for that issue. We plucked it out of Mitre's database,
and we used the same commit other distros used. Multiple distros have released
updates with that commit:

https://nvd.nist.gov/vuln/detail/CVE-2020-14392#vulnCurrentDescriptionTitle

>
> 2) In description of my change (which is in above linked Ubuntu diff) is
> written that same problem in in Perl's Encode module with a link to fix
> for Encode module AND important, also reproducer how to smash C stack
> from pure perl code (= reproducer for that issue).
>
> https://github.com/dankogai/p5-encode/commit/31b34fcc0be8c359994f136e7c504e32fb26fbce
>
> Why Ubuntu had not assigned CVE for above Encode issue and had not
> backported fix for it? It is same issue, with one difference that there
> is already code which can 100% trigger it.

We overlooked that one. Perhaps it should get assigned a new CVE?

>
> 3) That Ubuntu fix is INCOMPLETE, do nothing and is basically useless.
> It does *NOT* fix issue which Ubuntu described in that USN or in CVE
> description.

So are you saying the original commit is incomplete to fix that particular CVE,
or that that particular CVE should be rejected?

>
> If you look at the code in that diff, it changes just C include file
> Driver.xst. It does not affect, nor fix any compiled DBD driver.
>
> So to apply that fix you first need to update that DBI include file
> Driver.xst and then recompile every one DBD driver, as DBD drivers
> during compilation create private copy of Driver.xst and compile it.
>
> This is how DBI and DBD driver are building and after updating DBI
> Driver.xst file, it is required to recompile every DBD driver. Otherwise
> nothing would be changed.
>
>
> So the result is that updated Ubuntu packages do not fix issue which
> they describe in USN and CVE.
>

Thanks for the information.

Marc.


--
Marc Deslauriers
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Re: [USN-4503-1] Perl DBI module vulnerability

pali
On Wednesday 14 October 2020 07:45:10 Marc Deslauriers wrote:
> > 3) That Ubuntu fix is INCOMPLETE, do nothing and is basically useless.
> > It does *NOT* fix issue which Ubuntu described in that USN or in CVE
> > description.
>
> So are you saying the original commit is incomplete to fix that particular CVE,
> or that that particular CVE should be rejected?

Original commit is complete. Ubuntu patch is incomplete, look below:

> >
> > If you look at the code in that diff, it changes just C include file
> > Driver.xst. It does not affect, nor fix any compiled DBD driver.
> >
> > So to apply that fix you first need to update that DBI include file
> > Driver.xst and then recompile every one DBD driver, as DBD drivers
> > during compilation create private copy of Driver.xst and compile it.
> >
> > This is how DBI and DBD driver are building and after updating DBI
> > Driver.xst file, it is required to recompile every DBD driver. Otherwise
> > nothing would be changed.
> >
> >
> > So the result is that updated Ubuntu packages do not fix issue which
> > they describe in USN and CVE.
> >

You have not updated/recompiled any DBD driver, therefore you have not
fixed anything.

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened