Source: libdbi-perl Version: 1.649-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for libdbi-perl. CVE-2026-14380[0]: | DBI versions before 1.650 for Perl are vulnerable to code injection | via caller-influenced Profile. When a string is assigned to a DBI | handle's Profile attribute, DBI splits it into path, package and | arguments, and interpolates the package part in a string eval with | no validation of the package name. Any caller-influenced value that | reaches the Profile attribute is therefore arbitrary Perl code | execution, including calls to run system commands. The Profile | attribute can be set from three different sources that can carry | untrusted data: the DBI_PROFILE environment variable, a direct | attribute assignment, and a DSN driver-attribute clause | dbi:Driver(Profile=>SPEC):db. An attacker controlling any of those | inputs runs arbitrary Perl in the host process. The strongest remote | position is a network-exposed DBI::Gofer / DBI::ProxyServer whose | per-request DSN reaches the Profile attribute, letting a client | execute code on the broker host. CVE-2026-14739[1]: | DBI versions before 1.650 for Perl have a heap overflow when | preparsing SQL statements with an extreme number of placeholders. | The fix for CVE-2026-10879 did not allocate enough memory to handle | approximately 1.2-million placeholders. DBI version 1.650 sets a | hard limit of 99,999 placeholders. CVE-2026-14740[2]: | DBI versions before 1.650 for Perl read one byte out-of-bounds in | preparse when deleting an initial SQL comment. The preparse method | normalises SQL and removes comments. When the SQL starts with a | comment line, the deletion of that line during normalisation led to | an out-of-bounds read by one byte. The result is a fault on memory- | hardened builds and nondeterministic newline retention on normal | builds. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-14380 https://www.cve.org/CVERecord?id=CVE-2026-14380 [1] https://security-tracker.debian.org/tracker/CVE-2026-14739 https://www.cve.org/CVERecord?id=CVE-2026-14739 [2] https://security-tracker.debian.org/tracker/CVE-2026-14740 https://www.cve.org/CVERecord?id=CVE-2026-14740 Regards, Salvatore

