Your message dated Wed, 08 Jul 2026 17:05:33 +0000
with message-id <[email protected]>
and subject line Bug#1141667: fixed in libdbi-perl 1.650-1
has caused the Debian Bug report #1141667,
regarding libdbi-perl: CVE-2026-14380 CVE-2026-14739 CVE-2026-14740
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1141667: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141667
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libdbi-perl
Version: 1.649-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for libdbi-perl.
CVE-2026-14380[0]:
| DBI versions before 1.650 for Perl are vulnerable to code injection
| via caller-influenced Profile. When a string is assigned to a DBI
| handle's Profile attribute, DBI splits it into path, package and
| arguments, and interpolates the package part in a string eval with
| no validation of the package name. Any caller-influenced value that
| reaches the Profile attribute is therefore arbitrary Perl code
| execution, including calls to run system commands. The Profile
| attribute can be set from three different sources that can carry
| untrusted data: the DBI_PROFILE environment variable, a direct
| attribute assignment, and a DSN driver-attribute clause
| dbi:Driver(Profile=>SPEC):db. An attacker controlling any of those
| inputs runs arbitrary Perl in the host process. The strongest remote
| position is a network-exposed DBI::Gofer / DBI::ProxyServer whose
| per-request DSN reaches the Profile attribute, letting a client
| execute code on the broker host.
CVE-2026-14739[1]:
| DBI versions before 1.650 for Perl have a heap overflow when
| preparsing SQL statements with an extreme number of placeholders.
| The fix for CVE-2026-10879 did not allocate enough memory to handle
| approximately 1.2-million placeholders. DBI version 1.650 sets a
| hard limit of 99,999 placeholders.
CVE-2026-14740[2]:
| DBI versions before 1.650 for Perl read one byte out-of-bounds in
| preparse when deleting an initial SQL comment. The preparse method
| normalises SQL and removes comments. When the SQL starts with a
| comment line, the deletion of that line during normalisation led to
| an out-of-bounds read by one byte. The result is a fault on memory-
| hardened builds and nondeterministic newline retention on normal
| builds.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-14380
https://www.cve.org/CVERecord?id=CVE-2026-14380
[1] https://security-tracker.debian.org/tracker/CVE-2026-14739
https://www.cve.org/CVERecord?id=CVE-2026-14739
[2] https://security-tracker.debian.org/tracker/CVE-2026-14740
https://www.cve.org/CVERecord?id=CVE-2026-14740
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libdbi-perl
Source-Version: 1.650-1
Done: gregor herrmann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libdbi-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <[email protected]> (supplier of updated libdbi-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 08 Jul 2026 18:31:30 +0200
Source: libdbi-perl
Architecture: source
Version: 1.650-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: gregor herrmann <[email protected]>
Closes: 1141667
Changes:
libdbi-perl (1.650-1) unstable; urgency=medium
.
* Import upstream version 1.650.
- Set a hard limit of 99999 on '?' placeholders
(CVE-2026-14739)
- Fix out-of-bounds read in preparse of SQL that starts with a comment
(CVE-2026-14740)
- Fix code injection via Profile DSN attribute or DBI_PROFILE variable
(CVE-2026-14380)
Closes: #1141667
* Install new upstream document.
Checksums-Sha1:
fe3d5b723b20d6baadb620271e1dc010b252ed2c 2433 libdbi-perl_1.650-1.dsc
63eda1d88d42ca6b3e1c5afec157c905c20c40d1 731654 libdbi-perl_1.650.orig.tar.gz
a4987decdf8ee8e01e4eae8fbf2be56ec62d1311 13344
libdbi-perl_1.650-1.debian.tar.xz
Checksums-Sha256:
d8267d5983ebbf8c2c3d961aa257e9a6500e110569deebd8c604902af3adf4c2 2433
libdbi-perl_1.650-1.dsc
a807b817c1cfb0fe6ecccff1d9ddeb293c317d518f5ab2007dfb9d3bccdbcf83 731654
libdbi-perl_1.650.orig.tar.gz
23b7465d79d2fb414749399b04ceb7df33e92a518b5d00a7e07b34ae9073b60f 13344
libdbi-perl_1.650-1.debian.tar.xz
Files:
c550ae1ce69a05b8d931891d26f3b203 2433 perl optional libdbi-perl_1.650-1.dsc
1060f40a61392a8d6989cf76509289b7 731654 perl optional
libdbi-perl_1.650.orig.tar.gz
14c7a5b46ee2070cf2608ee874a45688 13344 perl optional
libdbi-perl_1.650-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmpOfFFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgYngg/7Bv/RwYXIZv6LNR/+jRIsn6fGrXqd2IX4ITti+uh8UdbkYmb00/F5BLVD
+JDztRfQwqRD9BseeSYsU3n5K99Rs8b9VrT+xZkDEQ22/W89z07PAfcqJynXRvrc
qfZH7b9ZWu2B9OBElrEnnEUKitKV5WSAPz1zErp64aOKzLwRx4Whu8vnzMRzHCi1
qQGIn4Inlb/GvQHciBQTC2kQaggREvKHpyF9kzYFfcV3XNvKdOj1oYvsRTdiQ8AV
TAKCFpwzelLeFwRzowvPH2G9DKHbBYBcs+o+6VAb2LGe1pJuVDQpo+Tn7e/aEJB7
QZDQ+rBPsnQo9WwrIwBTXozAXPhaLCWRE/5rq+yNfsewgg0nQi1SUxh8Hp2IDAMU
POCw7PcAmDScrNwMuW0Ds99zSsjeCx5Z9r7qBgvPXMlxw9EkUG6vQZo3gBoBKj9u
0luN/dP9+2EOSSTpT660W2ZEB4+bQz6a8o8OQBRvz/FXWRgWWnW1wd9qsL8VFKxV
UaimYB0uXDu7LJv86B3zytOR+mOkpoDBH617IqBQDvNaHNr2mRHO+v3LFbr5MYgH
4qLF5fzU/AJW3YZDRH1cIu1drUebeNEi7uW4J6dTqjK42Im1C5nB8r4eKzHrucUx
T8op993EgcZKAy2VsF5jU8izrTO10bLucEv2jdj/RS7fh/LxXW0=
=zY4d
-----END PGP SIGNATURE-----
pgpJq5Od_NfH_.pgp
Description: PGP signature
--- End Message ---