oss-sec mailing list archives
Re: CVE id request: Multiple buffer overflow in unixODBC
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 30 May 2012 13:02:53 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/30/2012 11:40 AM, Felipe Pena wrote:
Hi all, 2012/5/30 Kurt Seifried <kseifried () redhat com>:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/30/2012 02:07 AM, Tomas Hoger wrote:On Tue, 29 May 2012 09:42:42 -0300 Felipe Pena wrote:Multiple buffer overflow in unixODBC =========================== The library unixODBC doesn't check properly the input from FILEDSN=, DRIVER= options in the DSN, which causes buffer overflow when passed to the SQLDriverConnect() function.Reports like this - covering bugs in parsing of the configuration parameters (i.e. generally trusted input) - should include some reasoning why these should be considered security. Nothing obvious not intended to break PHP safe_mode comes to mind.Ahh my bad, I misunderstood this to be options that could be passed by the program as a standard part of the query, and thus controlled by the attacker. If this is indeed limited to configuration files and there are not extenuating circumstances that allow exploitation I will have to REJECT these CVEs.It isn't limited to the configuration files. Such input can be passed to the `isql' interactive tool that come together unixODBC. The same string can be used to connect through PHP PDO, for example. $ pwd .../unixodbc/src/unixODBC-2.3.1/exe $ ./isql "FILEDSN=$(python -c "print 'A'*10000");UID=user" -k Segmentation fault If it isn't characterized a security issue I'm sorry. Thanks.
Is this something that an attacker can typically control, or does the PHP author need to write code that does this? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPxm7dAAoJEBYNRVNeJnmTHm0P+QFmzxjK80GEYPaTGh39TzuZ nh0tqb3KcpU6oBDFKMuaXJSGcuVHPKY3peVHTnRfybwcpHw3mWmR7/Zwiilufu9S yiYfareQ4aPzoTJfc6+0npCGEIbArv8+jltHoAMyW6UDgIDP71D/ytzky5Dq7FQR G4XxxlsOiCQpeDFUjXn0tfUcrbhQ8sf/ztjSSGeffvQXaS9DFjqwHu2UUbTP3QJr aOmwRJ/f58RRYAmMtlH04SB/qhikLwstIBzJFF8FWzOXTWwAramiqsXBZ7fx5ba9 6098U9CP3fwzaey1GPfW/bYbLM/kuls1EvViUHsebrTZqTA/8VnndJ2xJW2AuOmg H0M4B13956lu9LAxLfliCQApfPjLydzm8MavKCtMhAO16on/ZmXPSSk6ihAD7IWX Cvg+yjgdP5aGWBCQKeUSvCLVMi95iaIrcJAffeoiF9O66mhFGGTmu3Bz9flm5Ajk b4AQIt4bwgpoCs/BYdp3bKAa+Mm4vKp0mOEz1VGvfRr5xhLA/35llPBRIpbQ6CYC 0lY5felqga00jVfeRQoJ7TT4It6a24XToZ/SAyIsrQtZwfa9V8XwqRS21QdynGiT 3qSUZniDigbFqkLyiIhBmiCYII9m7eq/M8q3cBuZvMycYVjPL4mz4dXU9L4mCey9 UBbu0D801RaWSvp3O/xP =wmqL -----END PGP SIGNATURE-----
Current thread:
- CVE id request: Multiple buffer overflow in unixODBC Felipe Pena (May 29)
- Re: CVE id request: Multiple buffer overflow in unixODBC Kurt Seifried (May 29)
- Re: CVE id request: Multiple buffer overflow in unixODBC Tomas Hoger (May 30)
- Re: CVE id request: Multiple buffer overflow in unixODBC Henri Salo (May 30)
- Re: CVE id request: Multiple buffer overflow in unixODBC Kurt Seifried (May 30)
- Re: CVE id request: Multiple buffer overflow in unixODBC Felipe Pena (May 30)
- Re: CVE id request: Multiple buffer overflow in unixODBC Kurt Seifried (May 30)
- Re: CVE id request: Multiple buffer overflow in unixODBC Felipe Pena (May 30)
- Re: CVE id request: Multiple buffer overflow in unixODBC Tomas Hoger (May 31)
- Re: CVE id request: Multiple buffer overflow in unixODBC Kurt Seifried (Jun 05)