Re: CVE id request: Multiple buffer overflow in unixODBC

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/30/2012 11:40 AM, Felipe Pena wrote:
> Hi all,
>
> 2012/5/30 Kurt Seifried <kseifried () redhat com>:
> > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> >
> > On 05/30/2012 02:07 AM, Tomas Hoger wrote:
> > > On Tue, 29 May 2012 09:42:42 -0300 Felipe Pena wrote:
> > >
> > > > Multiple buffer overflow in unixODBC
> > > > ===========================
> > > >
> > > > The library unixODBC doesn't check properly the input from 
> > > > FILEDSN=, DRIVER= options in the DSN, which causes buffer 
> > > > overflow when passed to the SQLDriverConnect() function.
> > >
> > > Reports like this - covering bugs in parsing of the
> > > configuration parameters (i.e. generally trusted input) -
> > > should include some reasoning why these should be considered
> > > security.  Nothing obvious not intended to break PHP safe_mode
> > > comes to mind.
> >
> > Ahh my bad, I misunderstood this to be options that could be
> > passed by the program as a standard part of the query, and thus
> > controlled by the attacker. If this is indeed limited to
> > configuration files and there are not extenuating circumstances
> > that allow exploitation I will have to REJECT these CVEs.
>
> It isn't limited to the configuration files. Such input can be
> passed to the `isql' interactive tool that come together unixODBC.
> The same string can be used to connect through PHP PDO, for
> example.
>
> $ pwd .../unixodbc/src/unixODBC-2.3.1/exe $ ./isql
> "FILEDSN=$(python -c "print 'A'*10000");UID=user" -k Segmentation
> fault
>
> If it isn't characterized a security issue I'm sorry.
>
> Thanks.

Is this something that an attacker can typically control, or does the
PHP author need to write code that does this?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPxm7dAAoJEBYNRVNeJnmTHm0P+QFmzxjK80GEYPaTGh39TzuZ
nh0tqb3KcpU6oBDFKMuaXJSGcuVHPKY3peVHTnRfybwcpHw3mWmR7/Zwiilufu9S
yiYfareQ4aPzoTJfc6+0npCGEIbArv8+jltHoAMyW6UDgIDP71D/ytzky5Dq7FQR
G4XxxlsOiCQpeDFUjXn0tfUcrbhQ8sf/ztjSSGeffvQXaS9DFjqwHu2UUbTP3QJr
aOmwRJ/f58RRYAmMtlH04SB/qhikLwstIBzJFF8FWzOXTWwAramiqsXBZ7fx5ba9
6098U9CP3fwzaey1GPfW/bYbLM/kuls1EvViUHsebrTZqTA/8VnndJ2xJW2AuOmg
H0M4B13956lu9LAxLfliCQApfPjLydzm8MavKCtMhAO16on/ZmXPSSk6ihAD7IWX
Cvg+yjgdP5aGWBCQKeUSvCLVMi95iaIrcJAffeoiF9O66mhFGGTmu3Bz9flm5Ajk
b4AQIt4bwgpoCs/BYdp3bKAa+Mm4vKp0mOEz1VGvfRr5xhLA/35llPBRIpbQ6CYC
0lY5felqga00jVfeRQoJ7TT4It6a24XToZ/SAyIsrQtZwfa9V8XwqRS21QdynGiT
3qSUZniDigbFqkLyiIhBmiCYII9m7eq/M8q3cBuZvMycYVjPL4mz4dXU9L4mCey9
UBbu0D801RaWSvp3O/xP
=wmqL
-----END PGP SIGNATURE-----