perl-dbi: Multiple vulnerabilities (CVE-2020-14392, CVE-2020-14393)

CVE-2020-14392: Memory corruption in XS functions when Perl stack is reallocated

A flaw was found in perl-dbi before version 1.643. Macro ST() returns pointer to Perl stack. Other Perl functions which use Perl stack (e.g. eval) may reallocate Perl stack and therefore pointer returned by ST() macro is invalid which may lead to memory corruption.

References:

• https://metacpan.org/pod/distribution/DBI/Changes#Changes-in-DBI-1.643
• https://security-tracker.debian.org/tracker/CVE-2020-14392

Patch:

https://github.com/perl5-dbi/dbi/commit/ea99b6aafb437db53c28fd40d5eafbe119cd66e1

CVE-2020-14393: Buffer overflow on an overlong DBD class name

A flaw was found in perl-dbi before version 1.643. A buffer overflow on via an overlong DBD class name in dbih_setup_handle function may lead to data be written past the intended limit.

References:

• https://metacpan.org/pod/distribution/DBI/Changes#Changes-in-DBI-1.643
• https://security-tracker.debian.org/tracker/CVE-2020-14393

Patch:

https://github.com/perl5-dbi/dbi/commit/36f2a2c5fea36d7d47d6871e420286643460e71b

Affected branches:

• master (c47e03d8)
• 3.12-stable (c47e03d8)
• 3.11-stable
• 3.10-stable
• 3.9-stable