Security Advisories (8)

CVE-2020-14393 (2020-09-16)

A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data.

CVE-2020-14392 (2020-06-17)

An untrusted pointer dereference flaw was found in Perl-DBI < 1.643. A local attacker who is able to manipulate calls to dbd_db_login6_sv() could cause memory corruption, affecting the service's availability.

CVE-2019-20919 (2020-09-17)

An issue was discovered in the DBI module before 1.643 for Perl. The hv_fetch() documentation requires checking for NULL and the code does that. But, shortly thereafter, it calls SvOK(profile), causing a NULL pointer dereference.

CPANSA-DBI-2014-01 (2014-10-15)

DBD::File drivers open files from folders other than specifically passed using the f_dir attribute.

CVE-2014-10402 (2020-09-16)

An issue was discovered in the DBI module through 1.643 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). NOTE: this issue exists because of an incomplete fix for CVE-2014-10401.

CVE-2014-10401 (2020-09-11)

An issue was discovered in the DBI module before 1.632 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute.

CVE-2013-7491 (2020-09-11)

An issue was discovered in the DBI module before 1.628 for Perl. Stack corruption occurs when a user-defined function requires a non-trivial amount of memory and the Perl stack gets reallocated.

CVE-2013-7490 (2020-09-11)

An issue was discovered in the DBI module before 1.632 for Perl. Using many arguments to methods for Callbacks may lead to memory corruption.

NAME

DBD::Gofer::Transport::corostream - Async DBD::Gofer stream transport using Coro and AnyEvent

SYNOPSIS

DBI_AUTOPROXY="dbi:Gofer:transport=corostream" perl some-perl-script-using-dbi.pl

$dsn = ...; # the DSN for the driver and database you want to use
$dbh = DBI->connect("dbi:Gofer:transport=corostream;dsn=$dsn", ...);

DESCRIPTION

The BIG WIN from using Coro is that it enables the use of existing DBI frameworks like DBIx::Class.

KNOWN ISSUES AND LIMITATIONS

- Uses Coro::Select so alters CORE::select globally
  Parent class probably needs refactoring to enable a more encapsulated approach.

- Doesn't prevent multiple concurrent requests
  Probably just needs a per-connection semaphore

- Coro has many caveats. Caveat emptor.

STATUS

THIS IS CURRENTLY JUST A PROOF-OF-CONCEPT IMPLEMENTATION FOR EXPERIMENTATION.

Please note that I have no plans to develop this code further myself. I'd very much welcome contributions. Interested? Let me know!

AUTHOR

Tim Bunce, http://www.tim.bunce.name

LICENCE AND COPYRIGHT

This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself. See perlartistic.

APPENDIX

Example code:

#!perl

use strict;
use warnings;
use Time::HiRes qw(time);

BEGIN { $ENV{PERL_ANYEVENT_STRICT} = 1; $ENV{PERL_ANYEVENT_VERBOSE} = 1; }

use AnyEvent;

BEGIN { $ENV{DBI_TRACE} = 0; $ENV{DBI_GOFER_TRACE} = 0; $ENV{DBD_GOFER_TRACE} = 0; };

use DBI;

$ENV{DBI_AUTOPROXY} = 'dbi:Gofer:transport=corostream';

my $ticker = AnyEvent->timer( after => 0, interval => 0.1, cb => sub {
    warn sprintf "-tick- %.2f\n", time
} );

warn "connecting...\n";
my $dbh = DBI->connect("dbi:NullP:");
warn "...connected\n";

for (1..3) {
    warn "entering DBI...\n";
    $dbh->do("sleep 0.3"); # pseudo-sql understood by the DBD::NullP driver
    warn "...returned\n";
}

warn "done.";

Example output:

$ perl corogofer.pl
connecting...
-tick- 1293631437.14
-tick- 1293631437.14
...connected
entering DBI...
-tick- 1293631437.25
-tick- 1293631437.35
-tick- 1293631437.45
-tick- 1293631437.55
...returned
entering DBI...
-tick- 1293631437.66
-tick- 1293631437.76
-tick- 1293631437.86
...returned
entering DBI...
-tick- 1293631437.96
-tick- 1293631438.06
-tick- 1293631438.16
...returned
done. at corogofer.pl line 39.

You can see that the timer callback is firing while the code 'waits' inside the do() method for the response from the database. Normally that would block.

To install DBI, copy and paste the appropriate command in to your terminal.

cpanm

cpanm DBI

CPAN shell

perl -MCPAN -e shell
install DBI

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)