File perl-DBI-CVE-2014-10402.patch of Package perl-DBI

Overview Repositories Revisions Requests Users Attributes Meta

File perl-DBI-CVE-2014-10402.patch of Package perl-DBI

From 32398bff24f054f4e9b48b97ecb70ce72267296c Mon Sep 17 00:00:00 2001
From: Jens Rehsack <sno@netbsd.org>
Date: Tue, 6 Oct 2020 06:50:37 +0200
Subject: [PATCH 1/3] DBD/File,DBI/DBD/SqlEngine: bump copyright year

Bump copyright years for both since there has been done work in meantime ...
including intended f_dir= fix for CVE-2014-10401

Signed-off-by: Jens Rehsack <sno@netbsd.org>
---
 lib/DBD/File.pm          | 4 ++--
 lib/DBI/DBD/SqlEngine.pm | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/DBD/File.pm b/lib/DBD/File.pm
index dd4312b..fb14e9a 100644
--- a/lib/DBD/File.pm
+++ b/lib/DBD/File.pm
@@ -9,7 +9,7 @@
 #
 #  The original author is Jochen Wiedmann.
 #
-#  Copyright (C) 2009-2013 by H.Merijn Brand & Jens Rehsack
+#  Copyright (C) 2009-2020 by H.Merijn Brand & Jens Rehsack
 #  Copyright (C) 2004 by Jeff Zucker
 #  Copyright (C) 1998 by Jochen Wiedmann
 #
@@ -1430,7 +1430,7 @@ The original author is Jochen Wiedmann.
 
 =head1 COPYRIGHT AND LICENSE
 
- Copyright (C) 2009-2013 by H.Merijn Brand & Jens Rehsack
+ Copyright (C) 2009-2020 by H.Merijn Brand & Jens Rehsack
  Copyright (C) 2004-2009 by Jeff Zucker
  Copyright (C) 1998-2004 by Jochen Wiedmann
 
diff --git a/lib/DBI/DBD/SqlEngine.pm b/lib/DBI/DBD/SqlEngine.pm
index fb755ab..8e933f7 100644
--- a/lib/DBI/DBD/SqlEngine.pm
+++ b/lib/DBI/DBD/SqlEngine.pm
@@ -9,7 +9,7 @@
 #
 #  The original author is Jochen Wiedmann.
 #
-#  Copyright (C) 2009-2013 by H.Merijn Brand & Jens Rehsack
+#  Copyright (C) 2009-2020 by H.Merijn Brand & Jens Rehsack
 #  Copyright (C) 2004 by Jeff Zucker
 #  Copyright (C) 1998 by Jochen Wiedmann
 #
@@ -2216,7 +2216,7 @@ The original authors are Jochen Wiedmann and Jeff Zucker.
 
 =head1 COPYRIGHT AND LICENSE
 
- Copyright (C) 2009-2013 by H.Merijn Brand & Jens Rehsack
+ Copyright (C) 2009-2020 by H.Merijn Brand & Jens Rehsack
  Copyright (C) 2004-2009 by Jeff Zucker
  Copyright (C) 1998-2004 by Jochen Wiedmann

From 27b10b5c3aacabc091046beaba478e671bb6111c Mon Sep 17 00:00:00 2001
From: Jens Rehsack <sno@netbsd.org>
Date: Tue, 6 Oct 2020 08:23:55 +0200
Subject: [PATCH 2/3] t/51dbm_file.t: add test from RT#99508

Add test with f_dir="something-not-existing" as reported in RT#99508
to verify when it's fixed for real.

Signed-off-by: Jens Rehsack <sno@netbsd.org>
---
 t/51dbm_file.t | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/t/51dbm_file.t b/t/51dbm_file.t
index d9824cf..686a3d2 100644
--- a/t/51dbm_file.t
+++ b/t/51dbm_file.t
@@ -15,6 +15,27 @@ use DBI;
 
 do "./t/lib.pl";
 
+{
+    # test issue reported in RT#99508
+    my @msg;
+    eval {
+	local $SIG{__DIE__} = sub { push @msg, @_ };
+	my $dbh = DBI->connect ("dbi:DBM:f_dir=./hopefully-doesnt-existst;sql_identifier_case=1;RaiseError=1");
+    };
+    like ("@msg", qr{.*hopefully-doesnt-existst.*}, "Cannot open from non-existing directory with attributes in DSN");
+
+    @msg = ();
+    eval {
+	local $SIG{__DIE__} = sub { push @msg, @_ };
+	my $dbh = DBI->connect ("dbi:DBM:", , undef, undef, {
+	    f_dir               => "./hopefully-doesnt-existst",
+	    sql_identifier_case => 1,
+	    RaiseError          => 1,
+	});
+    };
+    like ("@msg", qr{.*hopefully-doesnt-existst}, "Cannot open from non-existing directory with attributes in HASH");
+}
+
 my $dir = test_dir();
 
 my $dbh = DBI->connect( 'dbi:DBM:', undef, undef, {
@@ -23,6 +44,8 @@ my $dbh = DBI->connect( 'dbi:DBM:', undef, undef, {
     }
 );
 
+ok( $dbh, "Connect with driver attributes in hash" );
+
 ok( $dbh->do(q/drop table if exists FRED/), 'drop table' );
 
 my $dirfext = $^O eq 'VMS' ? '.sdbm_dir' : '.dir';

From 19d0fb169eed475e1c053e99036b8668625cfa94 Mon Sep 17 00:00:00 2001
From: Jens Rehsack <sno@netbsd.org>
Date: Tue, 6 Oct 2020 10:22:17 +0200
Subject: [PATCH 3/3] lib/DBD/File.pm: fix CVE-2014-10401

Dig into the root cause of RT#99508 - which resulted in CVE-2014-10401 - and
figure out that DBI->parse_dsn is the wrong helper to parse our attributes in
DSN, since in DBD::dr::connect only the "dbname" remains from DSN which causes
parse_dsn to bailout.

Parsing on our own similar to parse_dsn shows the way out.

Signed-off-by: Jens Rehsack <sno@netbsd.org>
---
 lib/DBD/File.pm | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/DBD/File.pm b/lib/DBD/File.pm
index fb14e9a..f55076f 100644
--- a/lib/DBD/File.pm
+++ b/lib/DBD/File.pm
@@ -109,7 +109,11 @@ sub connect
     # We do not (yet) care about conflicting attributes here
     # my $dbh = DBI->connect ("dbi:CSV:f_dir=test", undef, undef, { f_dir => "text" });
     # will test here that both test and text should exist
-    if (my $attr_hash = (DBI->parse_dsn ($dbname))[3]) {
+    #
+    # Parsing on our own similar to parse_dsn to find attributes in 'dbname' parameter.
+    if ($dbname) {
+	my @attrs = split /;/ => $dbname;
+	my $attr_hash = { map { split /\s*=>?\s*|\s*,\s*/, $_} @attrs };
 	if (defined $attr_hash->{f_dir} && ! -d $attr_hash->{f_dir}) {
 	    my $msg = "No such directory '$attr_hash->{f_dir}";
 	    $drh->set_err (2, $msg);
@@ -120,7 +124,6 @@ sub connect
     if ($attr and defined $attr->{f_dir} && ! -d $attr->{f_dir}) {
 	my $msg = "No such directory '$attr->{f_dir}";
 	$drh->set_err (2, $msg);
-	$attr->{RaiseError} and croak $msg;
 	return;
 	}
 
From c71b64a678bcd708c7b75ee2bef5a360c836444c Mon Sep 17 00:00:00 2001
From: "H.Merijn Brand - Tux" <linux@tux.freedom.nl>
Date: Wed, 28 Oct 2020 15:57:17 +0100
Subject: [PATCH] Document the new behavior for f_dir

These changes also warrant a version increase
---
 lib/DBD/File.pm | 5 +++++
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/lib/DBD/File.pm b/lib/DBD/File.pm
index baffefa..afbff26 100644
--- a/lib/DBD/File.pm
+++ b/lib/DBD/File.pm
@@ -1062,6 +1062,11 @@ directory) when the dbh attribute is set.
 
   f_dir => "/data/foo/csv",
 
+If C<f_dir> is set to a non-existing location, the connection will fail.
+See CVE-2014-10401 for reasoning. Because of this, folders to use cannot
+be created after the connection, but must exist before the connection is
+initiated.
+
 See L<KNOWN BUGS AND LIMITATIONS>.
 
 =head4 f_dir_search
From 89f0d4cd38b83f0ee426a5fdf7d1ad5ea371c883 Mon Sep 17 00:00:00 2001
From: "H.Merijn Brand - Tux" <linux@tux.freedom.nl>
Date: Wed, 28 Oct 2020 15:03:48 +0100
Subject: [PATCH] Fix for empty attributes in DSN

dbm_type=SDBM_File;dbm_mldbm=;f_lockfile=.lck'
                             ^
would result in

Odd number of elements in anonymous hash
---
 lib/DBD/File.pm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/DBD/File.pm b/lib/DBD/File.pm
index f55076f..baffefa 100644
--- a/lib/DBD/File.pm
+++ b/lib/DBD/File.pm
@@ -112,8 +112,9 @@ sub connect
     #
     # Parsing on our own similar to parse_dsn to find attributes in 'dbname' parameter.
     if ($dbname) {
-	my @attrs = split /;/ => $dbname;
-	my $attr_hash = { map { split /\s*=>?\s*|\s*,\s*/, $_} @attrs };
+	my $attr_hash = {
+	    map { (m/^\s* (\S+) \s*(?: =>? | , )\s* (\S*) \s*$/x) }
+	    split m/;/ => $dbname };
 	if (defined $attr_hash->{f_dir} && ! -d $attr_hash->{f_dir}) {
 	    my $msg = "No such directory '$attr_hash->{f_dir}";
 	    $drh->set_err (2, $msg);
From 2eda0ec996d0a9357885acd442c72ac206adb7b3 Mon Sep 17 00:00:00 2001
From: "H.Merijn Brand - Tux" <linux@tux.freedom.nl>
Date: Wed, 28 Oct 2020 15:09:01 +0100
Subject: [PATCH] Catch warning

---
 t/51dbm_file.t | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/t/51dbm_file.t b/t/51dbm_file.t
index 686a3d2..0ae910c 100644
--- a/t/51dbm_file.t
+++ b/t/51dbm_file.t
@@ -18,21 +18,25 @@ do "./t/lib.pl";
 {
     # test issue reported in RT#99508
     my @msg;
-    eval {
-	local $SIG{__DIE__} = sub { push @msg, @_ };
-	my $dbh = DBI->connect ("dbi:DBM:f_dir=./hopefully-doesnt-existst;sql_identifier_case=1;RaiseError=1");
+    my $dbh = eval {
+	local $SIG{__WARN__} = sub { push @msg, @_ };
+	local $SIG{__DIE__}  = sub { push @msg, @_ };
+	DBI->connect ("dbi:DBM:f_dir=./hopefully-doesnt-existst;sql_identifier_case=1;RaiseError=1");
     };
+    is ($dbh, undef, "Connect failed");
     like ("@msg", qr{.*hopefully-doesnt-existst.*}, "Cannot open from non-existing directory with attributes in DSN");
 
     @msg = ();
-    eval {
-	local $SIG{__DIE__} = sub { push @msg, @_ };
-	my $dbh = DBI->connect ("dbi:DBM:", , undef, undef, {
+    $dbh = eval {
+	local $SIG{__WARN__} = sub { push @msg, @_ };
+	local $SIG{__DIE__}  = sub { push @msg, @_ };
+	DBI->connect ("dbi:DBM:", , undef, undef, {
 	    f_dir               => "./hopefully-doesnt-existst",
 	    sql_identifier_case => 1,
 	    RaiseError          => 1,
 	});
     };
+    is ($dbh, undef, "Connect failed");
     like ("@msg", qr{.*hopefully-doesnt-existst}, "Cannot open from non-existing directory with attributes in HASH");
 }

Places

File perl-DBI-CVE-2014-10402.patch of Package perl-DBI

Places