oss-sec mailing list archives

Re: CVE id request: Multiple buffer overflow in unixODBC

From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 29 May 2012 11:10:00 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/29/2012 06:42 AM, Felipe Pena wrote:

Hi, please assign a CVE id for the issue:

Multiple buffer overflow in unixODBC ===========================

The library unixODBC doesn't check properly the input from
FILEDSN=, DRIVER= options in the DSN, which causes buffer overflow
when passed to the SQLDriverConnect() function.

The unixODBC maintainer has been notified about the issue.

Version affected ============

FILEDSN= as of 2.0.10 DRIVER= as of 2.3.1

PoC ===

$ ./poc "FILEDSN=$(python -c "print 'A'*10000")" Segmentation
fault

(gdb) bt #0  0x00007ffff7bc8c81 in SQLReadFileDSN
(pszFileName=<value optimized out>, pszAppName=<value optimized
out>, pszKeyName=<value optimized out>, pszString=<value optimized
out>, nString=<value optimized out>, pnString=<value optimized
out>) at SQLReadFileDSN.c:207 #1  0x4141414141414141 in ?? ()


CREDITS =======

This bug was discovered by Felipe Pena. BugSec Team -
http://www.bugsec.com.br/


Splitting into two CVE's due to the different versions affected:

Please use CVE-2012-2657 for unixODBC 2.0.10 buffer overflow in FILEDSN=

Please use CVE-2012-2658 for unixODBC 2.3.1 buffer overflow in DRIVER=


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIbBAEBAgAGBQJPxQLnAAoJEBYNRVNeJnmTiloP+KTgTGtz1zQArKVZLkypLSIf
6ZTpQ4TZCv961JBQjn6aR682hGHFwWbAWehqDNVhJTJ+aolnQqVvNb4r7B+jBNAj
opCQLQ86FyjwLGjh5SP2n38rQIp5mfZHXZJfqugHayD1ovCHXNq6ScaFm2hTwhYp
1sWNZJ9UUYtWjbeILR4PQZuSED8w2+5m6oZRtyZ7FqJSW8e1fMzuYsGImxXXMGTG
CjKOuzizzbtnaPdGVOiL0rolwGDGfqcmaZPCQpg2eYLCuYAtUf2yLhUkiFIsMMOO
JFrlWG00gZtqIDiaIJeeGhWg5BoDNJzaDtuZ1Mg3OtS42tR3wFIzRnCmqjAMLsZa
BSrYa2IczAJIvJPFWOTcHXlHkWmjmhl3K3Dwy04r4gmMvg0wOyeUtf4VdjvbHHQu
IQ0R1vVaVDWlfrq3kGxnB6ZMBJjUdJ41olKjpZB6k5PJWcYI+lfgG8t2diBldZ8Z
gvMn5yiIxTX08ad7doXbmhRp14u06zfNoqHz671G/pcw70DO4Th9oVjrujqrCtyT
JOmb7aWAQu9cGsdP/c3rpL9mrMG7a/e8yc6BOtVi3OQFlGOc8oecqDB0KB2tSeLm
yrgM1lhF7ZScaEMmAiogikiqoLvZy1Ol4niRZTquG/9HkHYatNePFJMhC8GpJqEL
LReUsHTvMoaWsyjUoD8=
=QCpI
-----END PGP SIGNATURE-----

Current thread:

CVE id request: Multiple buffer overflow in unixODBC Felipe Pena (May 29)
- Re: CVE id request: Multiple buffer overflow in unixODBC Kurt Seifried (May 29)
- Re: CVE id request: Multiple buffer overflow in unixODBC Tomas Hoger (May 30)
  - Re: CVE id request: Multiple buffer overflow in unixODBC Henri Salo (May 30)
  - Re: CVE id request: Multiple buffer overflow in unixODBC Kurt Seifried (May 30)
    - Re: CVE id request: Multiple buffer overflow in unixODBC Felipe Pena (May 30)
    - Re: CVE id request: Multiple buffer overflow in unixODBC Kurt Seifried (May 30)
    - Re: CVE id request: Multiple buffer overflow in unixODBC Felipe Pena (May 30)
    - Re: CVE id request: Multiple buffer overflow in unixODBC Tomas Hoger (May 31)
    - Re: CVE id request: Multiple buffer overflow in unixODBC Kurt Seifried (Jun 05)