Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 30 May 2012 14:40:06 -0300
From: Felipe Pena <>
To: Kurt Seifried <>
Cc:, Tomas Hoger <>
Subject: Re: CVE id request: Multiple buffer overflow in unixODBC

Hi all,

2012/5/30 Kurt Seifried <>:
> Hash: SHA1
> On 05/30/2012 02:07 AM, Tomas Hoger wrote:
>> On Tue, 29 May 2012 09:42:42 -0300 Felipe Pena wrote:
>>> Multiple buffer overflow in unixODBC ===========================
>>> The library unixODBC doesn't check properly the input from
>>> FILEDSN=, DRIVER= options in the DSN, which causes buffer
>>> overflow when passed to the SQLDriverConnect() function.
>> Reports like this - covering bugs in parsing of the configuration
>> parameters (i.e. generally trusted input) - should include some
>> reasoning why these should be considered security.  Nothing obvious
>> not intended to break PHP safe_mode comes to mind.
> Ahh my bad, I misunderstood this to be options that could be passed by
> the program as a standard part of the query, and thus controlled by
> the attacker. If this is indeed limited to configuration files and
> there are not extenuating circumstances that allow exploitation I will
> have to REJECT these CVEs.

It isn't limited to the configuration files. Such input can be passed
to the `isql' interactive tool that come together unixODBC. The same
string can be used to connect through PHP PDO, for example.

$ pwd
$ ./isql "FILEDSN=$(python -c "print 'A'*10000");UID=user" -k
Segmentation fault

If it isn't characterized a security issue I'm sorry.


Felipe Pena

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ