mailing list archives
Re: CVE Request -- libdbd-pg-perl / perl-DBD-Pg && libyaml-libyaml-perl / perl-YAML-LibYAML: Multiple format string flaws
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 09 Mar 2012 23:10:29 -0700
On 03/09/2012 04:10 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors,
Two format string flaws were found in the way perl-DBD-Pg, a Perl language
PostgreSQL DBI implementation, performed:
1) turning of database notices into appropriate Perl language warning
2) preparation of particular DBD statement.
A rogue server could provide a specially-crafted database warning or
specially-crafted DBD statement, which once processed by the perl-DBD-Pg
interface would lead to perl-DBD-Pg based process crash.
Patch proposed by Niko Tyni:
Please use CVE-2012-1151 for this issue.
Multiple format string flaws were found in the way perl-YAML-LibYAML,
serialization using XS and libyaml, performed:
1) error reporting by loading of general YAML stream,
2) error reporting by loading of YAML node,
3) error reporting by loading of YAML mapping into a Perl hash, and
4) error reporting by loading of YAML sequence into a Perl array.
A remote attacker could provide a specially-crafted YAML document, which
processed by the perl-YAML-LibYAML interface would lead to
based process crash.
Please use CVE-2012-1152 for this issue.
Could you allocate two CVE ids for these? (one for libdbd-pg-perl /
and one for libyaml-libyaml-perl / perl-YAML-LibYAML)
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team
Kurt Seifried Red Hat Security Response Team (SRT)