[AutoPR- Security] Patch perl-DBI for CVE-2026-9698 [HIGH] (microsoft#17751)

Co-authored-by: jykanase <v-jykanase@microsoft.com>

Author: azurelinux-security

SPECS/perl-DBI/CVE-2026-9698.patch

@@ -0,0 +1,39 @@
+From bfe5d73c162d2d1f761a639a0aa33aad6a9eb54e Mon Sep 17 00:00:00 2001
+From: "H.Merijn Brand - Tux" <linux@tux.freedom.nl>
+Date: Wed, 27 May 2026 11:16:50 +0200
+Subject: [PATCH] Fix possible stack overflow (old issue already noted by Tim)
+
+Upstream-reference: https://github.com/perl5-dbi/dbi/commit/bfe5d73c162d2d1f761a639a0aa33aad6a9eb54e.patch
+https://sources.debian.org/src/libdbi-perl/1.643-4%2Bdeb12u1/debian/patches/Fix-possible-stack-overflow-old-issue-already-noted-.patch
+---
+ DBI.xs | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/DBI.xs b/DBI.xs
+index 01a543b..8858e21 100644
+--- a/DBI.xs
++++ b/DBI.xs
+@@ -3998,7 +3998,6 @@ XS(XS_DBI_dispatch)
+         SV **statement_svp = NULL;
+         const int is_warning = (!SvTRUE(err_sv) && strlen(SvPV_nolen(err_sv))==1);
+         const char *err_meth_name = meth_name;
+-        char intro[200];
+ 
+         if (meth_type == methtype_set_err) {
+             SV **sem_svp = hv_fetch((HV*)SvRV(h), "dbi_set_err_method", 18, GV_ADDWARN);
+@@ -4006,10 +4005,8 @@ XS(XS_DBI_dispatch)
+                 err_meth_name = SvPV_nolen(*sem_svp);
+         }
+ 
+-        /* XXX change to vsprintf into sv directly */
+-        sprintf(intro,"%s %s %s: ", HvNAME(DBIc_IMP_STASH(imp_xxh)), err_meth_name,
+-            SvTRUE(err_sv) ? "failed" : is_warning ? "warning" : "information");
+-        msg = sv_2mortal(newSVpv(intro,0));
++        msg = sv_2mortal(newSVpvf("%s %s %s: ", HvNAME(DBIc_IMP_STASH(imp_xxh)), err_meth_name,
++            SvTRUE(err_sv) ? "failed" : is_warning ? "warning" : "information"));
+         if (SvOK(DBIc_ERRSTR(imp_xxh)))
+             sv_catsv(msg, DBIc_ERRSTR(imp_xxh));
+         else
+-- 
+2.45.4
+

SPECS/perl-DBI/perl-DBI.spec

@@ -5,14 +5,15 @@
 Summary:        A database access API for perl
 Name:           perl-DBI
 Version:        1.643
-Release:        4%{?dist}
+Release:        5%{?dist}
 Group:          Development/Libraries
 License:        GPL+ or Artistic
 URL:            http://dbi.perl.org/
 # The source tarball must be repackaged to remove the DBI/FAQ.pm, since the
 # license is not a FSF free license.
 Source0:        https://cpan.metacpan.org/authors/id/T/TI/TIMB/DBI-%{version}.tar.gz
 Patch0:         CVE-2026-10879.patch
+Patch1:         CVE-2026-9698.patch
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 BuildRequires:  perl >= 5.28.0
@@ -163,6 +164,9 @@ make test
 %{_mandir}/man3/*.3*
 
 %changelog
+* Wed Jun 17 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.643-5
+- Patch for CVE-2026-9698
+
 * Tue Jun 09 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.643-4
 - Patch for CVE-2026-10879
 

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -336,8 +336,8 @@ perl-CPAN-Meta-YAML-0.018-510.azl3.noarch.rpm
 perl-Data-Dumper-2.188-510.azl3.aarch64.rpm
 perl-DBD-SQLite-1.74-2.azl3.aarch64.rpm
 perl-DBD-SQLite-debuginfo-1.74-2.azl3.aarch64.rpm
-perl-DBI-1.643-4.azl3.aarch64.rpm
-perl-DBI-debuginfo-1.643-4.azl3.aarch64.rpm
+perl-DBI-1.643-5.azl3.aarch64.rpm
+perl-DBI-debuginfo-1.643-5.azl3.aarch64.rpm
 perl-DBIx-Simple-1.37-7.azl3.noarch.rpm
 perl-DBM_Filter-0.06-510.azl3.noarch.rpm
 perl-debugger-1.60-510.azl3.noarch.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -344,8 +344,8 @@ perl-CPAN-Meta-YAML-0.018-510.azl3.noarch.rpm
 perl-Data-Dumper-2.188-510.azl3.x86_64.rpm
 perl-DBD-SQLite-1.74-2.azl3.x86_64.rpm
 perl-DBD-SQLite-debuginfo-1.74-2.azl3.x86_64.rpm
-perl-DBI-1.643-4.azl3.x86_64.rpm
-perl-DBI-debuginfo-1.643-4.azl3.x86_64.rpm
+perl-DBI-1.643-5.azl3.x86_64.rpm
+perl-DBI-debuginfo-1.643-5.azl3.x86_64.rpm
 perl-DBIx-Simple-1.37-7.azl3.noarch.rpm
 perl-DBM_Filter-0.06-510.azl3.noarch.rpm
 perl-debugger-1.60-510.azl3.noarch.rpm