1Backport patch to fix CVE-2014-10402. 2 3CVE: CVE-2014-10402 4Upstream-Status: Backport [https://github.com/rehsack/dbi/commit/19d0fb1] 5 6Ref: 7https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972180#12 8 9Signed-off-by: Kai Kang <kai.kang@windriver.com> 10 11 12From 19d0fb169eed475e1c053e99036b8668625cfa94 Mon Sep 17 00:00:00 2001 13From: Jens Rehsack <sno@netbsd.org> 14Date: Tue, 6 Oct 2020 10:22:17 +0200 15Subject: [PATCH] lib/DBD/File.pm: fix CVE-2014-10401 16 17Dig into the root cause of RT#99508 - which resulted in CVE-2014-10401 - and 18figure out that DBI->parse_dsn is the wrong helper to parse our attributes in 19DSN, since in DBD::dr::connect only the "dbname" remains from DSN which causes 20parse_dsn to bailout. 21 22Parsing on our own similar to parse_dsn shows the way out. 23 24Signed-off-by: Jens Rehsack <sno@netbsd.org> 25--- 26 lib/DBD/File.pm | 7 +++++-- 27 1 file changed, 5 insertions(+), 2 deletions(-) 28 29diff --git a/lib/DBD/File.pm b/lib/DBD/File.pm 30index fb14e9a..f55076f 100644 31--- a/lib/DBD/File.pm 32+++ b/lib/DBD/File.pm 33@@ -109,7 +109,11 @@ sub connect 34 # We do not (yet) care about conflicting attributes here 35 # my $dbh = DBI->connect ("dbi:CSV:f_dir=test", undef, undef, { f_dir => "text" }); 36 # will test here that both test and text should exist 37- if (my $attr_hash = (DBI->parse_dsn ($dbname))[3]) { 38+ # 39+ # Parsing on our own similar to parse_dsn to find attributes in 'dbname' parameter. 40+ if ($dbname) { 41+ my @attrs = split /;/ => $dbname; 42+ my $attr_hash = { map { split /\s*=>?\s*|\s*,\s*/, $_} @attrs }; 43 if (defined $attr_hash->{f_dir} && ! -d $attr_hash->{f_dir}) { 44 my $msg = "No such directory '$attr_hash->{f_dir}"; 45 $drh->set_err (2, $msg); 46@@ -120,7 +124,6 @@ sub connect 47 if ($attr and defined $attr->{f_dir} && ! -d $attr->{f_dir}) { 48 my $msg = "No such directory '$attr->{f_dir}"; 49 $drh->set_err (2, $msg); 50- $attr->{RaiseError} and croak $msg; 51 return; 52 } 53 54-- 552.17.1 56 57