Date: Wed, 30 May 2012 14:40:06 -0300 From: Felipe Pena <felipensp@...il.com> To: Kurt Seifried <kseifried@...hat.com> Cc: oss-security@...ts.openwall.com, Tomas Hoger <thoger@...hat.com> Subject: Re: CVE id request: Multiple buffer overflow in unixODBC Hi all, 2012/5/30 Kurt Seifried <kseifried@...hat.com>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 05/30/2012 02:07 AM, Tomas Hoger wrote: >> On Tue, 29 May 2012 09:42:42 -0300 Felipe Pena wrote: >> >>> Multiple buffer overflow in unixODBC =========================== >>> >>> The library unixODBC doesn't check properly the input from >>> FILEDSN=, DRIVER= options in the DSN, which causes buffer >>> overflow when passed to the SQLDriverConnect() function. >> >> Reports like this - covering bugs in parsing of the configuration >> parameters (i.e. generally trusted input) - should include some >> reasoning why these should be considered security. Nothing obvious >> not intended to break PHP safe_mode comes to mind. >> > > Ahh my bad, I misunderstood this to be options that could be passed by > the program as a standard part of the query, and thus controlled by > the attacker. If this is indeed limited to configuration files and > there are not extenuating circumstances that allow exploitation I will > have to REJECT these CVEs. > It isn't limited to the configuration files. Such input can be passed to the `isql' interactive tool that come together unixODBC. The same string can be used to connect through PHP PDO, for example. $ pwd .../unixodbc/src/unixODBC-2.3.1/exe $ ./isql "FILEDSN=$(python -c "print 'A'*10000");UID=user" -k Segmentation fault If it isn't characterized a security issue I'm sorry. Thanks. -- Regards, Felipe Pena
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ