#VU43604 Format string error in Perl - CVE-2012-1151


| Updated: 2020-08-11

Vulnerability identifier: #VU43604

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2012-1151

CWE-ID: CWE-134

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Perl
Universal components / Libraries / Scripting languages

Vendor: Perl

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Multiple format string vulnerabilities in dbdimp.c in DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.19.0 for Perl allow remote PostgreSQL database servers to cause a denial of service (process crash) via format string specifiers in (1) a crafted database warning to the pg_warn function or (2) a crafted DBD statement to the dbd_st_prepare function.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Perl: 0.1 - 0.99, 1.00 - 1.49, 2.0.0, 2.1.0 - 2.18.0, 2.2.0 - 2.2.2, 2.3.0, 2.4.0, 2.5.0 - 2.5.1, 2.6.0 - 2.6.6, 2.7.0 - 2.7.2, 2.8.0 - 2.8.8, 2.9.0 - 2.9.2

External links
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661536
https://cpansearch.perl.org/src/TURNSTEP/DBD-Pg-2.19.1/Changes
https://rhn.redhat.com/errata/RHSA-2012-1116.html
https://secunia.com/advisories/48307
https://secunia.com/advisories/48319
https://secunia.com/advisories/48824
https://security.gentoo.org/glsa/glsa-201204-08.xml
https://www.debian.org/security/2012/dsa-2431
https://www.mandriva.com/security/advisories?name=MDVSA-2012:112
https://www.openwall.com/lists/oss-security/2012/03/09/6
https://www.openwall.com/lists/oss-security/2012/03/10/4
https://bugzilla.redhat.com/show_bug.cgi?id=801733
https://exchange.xforce.ibmcloud.com/vulnerabilities/73854
https://exchange.xforce.ibmcloud.com/vulnerabilities/73855
https://rt.cpan.org/Public/Bug/Display.html?id=75642

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Format string error in Perl
Amazon Linux AMI update for perl-DBD-Pg
Gentoo update for Perl DBD-Pg Module