meta-openembedded/meta-oe/recipes-devtools/perl/libdbi-perl/CVE-2014-10402.patch - mdmillerii/openbmc - Gitiles

 Backport patch to fix CVE-2014-10402.

 CVE: CVE-2014-10402
 Upstream-Status: Backport [https://github.com/rehsack/dbi/commit/19d0fb1]

 Ref:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972180#12

 Signed-off-by: Kai Kang <kai.kang@windriver.com>


 From 19d0fb169eed475e1c053e99036b8668625cfa94 Mon Sep 17 00:00:00 2001
 From: Jens Rehsack <sno@netbsd.org>
 Date: Tue, 6 Oct 2020 10:22:17 +0200
 Subject: [PATCH] lib/DBD/File.pm: fix CVE-2014-10401

 Dig into the root cause of RT#99508 - which resulted in CVE-2014-10401 - and
 figure out that DBI->parse_dsn is the wrong helper to parse our attributes in
 DSN, since in DBD::dr::connect only the "dbname" remains from DSN which causes
 parse_dsn to bailout.

 Parsing on our own similar to parse_dsn shows the way out.

 Signed-off-by: Jens Rehsack <sno@netbsd.org>
 ---
  lib/DBD/File.pm | 7 +++++--
  1 file changed, 5 insertions(+), 2 deletions(-)

 diff --git a/lib/DBD/File.pm b/lib/DBD/File.pm
 index fb14e9a..f55076f 100644
 --- a/lib/DBD/File.pm
 +++ b/lib/DBD/File.pm
 @@ -109,7 +109,11 @@ sub connect
      # We do not (yet) care about conflicting attributes here
      # my $dbh = DBI->connect ("dbi:CSV:f_dir=test", undef, undef, { f_dir => "text" });
      # will test here that both test and text should exist
 -    if (my $attr_hash = (DBI->parse_dsn ($dbname))[3]) {
 +    #
 +    # Parsing on our own similar to parse_dsn to find attributes in 'dbname' parameter.
 +    if ($dbname) {
 +	my @attrs = split /;/ => $dbname;
 +	my $attr_hash = { map { split /\s*=>?\s*|\s*,\s*/, $_} @attrs };
  	if (defined $attr_hash->{f_dir} && ! -d $attr_hash->{f_dir}) {
  	    my $msg = "No such directory '$attr_hash->{f_dir}";
  	    $drh->set_err (2, $msg);
 @@ -120,7 +124,6 @@ sub connect
      if ($attr and defined $attr->{f_dir} && ! -d $attr->{f_dir}) {
  	my $msg = "No such directory '$attr->{f_dir}";
  	$drh->set_err (2, $msg);
 -	$attr->{RaiseError} and croak $msg;
  	return;
  	}

 --
 2.17.1
	Backport patch to fix CVE-2014-10402.

	CVE: CVE-2014-10402
	Upstream-Status: Backport [https://github.com/rehsack/dbi/commit/19d0fb1]

	Ref:
	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972180#12

	Signed-off-by: Kai Kang <kai.kang@windriver.com>


	From 19d0fb169eed475e1c053e99036b8668625cfa94 Mon Sep 17 00:00:00 2001
	From: Jens Rehsack <sno@netbsd.org>
	Date: Tue, 6 Oct 2020 10:22:17 +0200
	Subject: [PATCH] lib/DBD/File.pm: fix CVE-2014-10401

	Dig into the root cause of RT#99508 - which resulted in CVE-2014-10401 - and
	figure out that DBI->parse_dsn is the wrong helper to parse our attributes in
	DSN, since in DBD::dr::connect only the "dbname" remains from DSN which causes
	parse_dsn to bailout.

	Parsing on our own similar to parse_dsn shows the way out.

	Signed-off-by: Jens Rehsack <sno@netbsd.org>
	---
	lib/DBD/File.pm \| 7 +++++--
	1 file changed, 5 insertions(+), 2 deletions(-)

	diff --git a/lib/DBD/File.pm b/lib/DBD/File.pm
	index fb14e9a..f55076f 100644
	--- a/lib/DBD/File.pm
	+++ b/lib/DBD/File.pm
	@@ -109,7 +109,11 @@ sub connect
	# We do not (yet) care about conflicting attributes here
	# my $dbh = DBI->connect ("dbi:CSV:f_dir=test", undef, undef, { f_dir => "text" });
	# will test here that both test and text should exist
	- if (my $attr_hash = (DBI->parse_dsn ($dbname))[3]) {
	+ #
	+ # Parsing on our own similar to parse_dsn to find attributes in 'dbname' parameter.
	+ if ($dbname) {
	+ my @attrs = split /;/ => $dbname;
	+ my $attr_hash = { map { split /\s=>?\s\|\s,\s/, $_} @attrs };
	if (defined $attr_hash->{f_dir} && ! -d $attr_hash->{f_dir}) {
	my $msg = "No such directory '$attr_hash->{f_dir}";
	$drh->set_err (2, $msg);
	@@ -120,7 +124,6 @@ sub connect
	if ($attr and defined $attr->{f_dir} && ! -d $attr->{f_dir}) {
	my $msg = "No such directory '$attr->{f_dir}";
	$drh->set_err (2, $msg);
	- $attr->{RaiseError} and croak $msg;
	return;
	}

	--
	2.17.1