oss-sec mailing list archives
Re: CVE id request: Multiple buffer overflow in unixODBC
From: Felipe Pena <felipensp () gmail com>
Date: Wed, 30 May 2012 14:40:06 -0300
Hi all, 2012/5/30 Kurt Seifried <kseifried () redhat com>:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/30/2012 02:07 AM, Tomas Hoger wrote:On Tue, 29 May 2012 09:42:42 -0300 Felipe Pena wrote:Multiple buffer overflow in unixODBC =========================== The library unixODBC doesn't check properly the input from FILEDSN=, DRIVER= options in the DSN, which causes buffer overflow when passed to the SQLDriverConnect() function.Reports like this - covering bugs in parsing of the configuration parameters (i.e. generally trusted input) - should include some reasoning why these should be considered security. Nothing obvious not intended to break PHP safe_mode comes to mind.Ahh my bad, I misunderstood this to be options that could be passed by the program as a standard part of the query, and thus controlled by the attacker. If this is indeed limited to configuration files and there are not extenuating circumstances that allow exploitation I will have to REJECT these CVEs.
It isn't limited to the configuration files. Such input can be passed to the `isql' interactive tool that come together unixODBC. The same string can be used to connect through PHP PDO, for example. $ pwd .../unixodbc/src/unixODBC-2.3.1/exe $ ./isql "FILEDSN=$(python -c "print 'A'*10000");UID=user" -k Segmentation fault If it isn't characterized a security issue I'm sorry. Thanks. -- Regards, Felipe Pena
Current thread:
- CVE id request: Multiple buffer overflow in unixODBC Felipe Pena (May 29)
- Re: CVE id request: Multiple buffer overflow in unixODBC Kurt Seifried (May 29)
- Re: CVE id request: Multiple buffer overflow in unixODBC Tomas Hoger (May 30)
- Re: CVE id request: Multiple buffer overflow in unixODBC Henri Salo (May 30)
- Re: CVE id request: Multiple buffer overflow in unixODBC Kurt Seifried (May 30)
- Re: CVE id request: Multiple buffer overflow in unixODBC Felipe Pena (May 30)
- Re: CVE id request: Multiple buffer overflow in unixODBC Kurt Seifried (May 30)
- Re: CVE id request: Multiple buffer overflow in unixODBC Felipe Pena (May 30)
- Re: CVE id request: Multiple buffer overflow in unixODBC Tomas Hoger (May 31)
- Re: CVE id request: Multiple buffer overflow in unixODBC Kurt Seifried (Jun 05)