Re: CVE id request: Multiple buffer overflow in unixODBC

[Felipe Pena <felipensp () gmail com>]

Hi all,

2012/5/30 Kurt Seifried <kseifried () redhat com>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/30/2012 02:07 AM, Tomas Hoger wrote:
> > On Tue, 29 May 2012 09:42:42 -0300 Felipe Pena wrote:
> >
> > > Multiple buffer overflow in unixODBC ===========================
> > >
> > > The library unixODBC doesn't check properly the input from
> > > FILEDSN=, DRIVER= options in the DSN, which causes buffer
> > > overflow when passed to the SQLDriverConnect() function.
> >
> > Reports like this - covering bugs in parsing of the configuration
> > parameters (i.e. generally trusted input) - should include some
> > reasoning why these should be considered security.  Nothing obvious
> > not intended to break PHP safe_mode comes to mind.
>
> Ahh my bad, I misunderstood this to be options that could be passed by
> the program as a standard part of the query, and thus controlled by
> the attacker. If this is indeed limited to configuration files and
> there are not extenuating circumstances that allow exploitation I will
> have to REJECT these CVEs.

It isn't limited to the configuration files. Such input can be passed
to the `isql' interactive tool that come together unixODBC. The same
string can be used to connect through PHP PDO, for example.

$ pwd
.../unixodbc/src/unixODBC-2.3.1/exe
$ ./isql "FILEDSN=$(python -c "print 'A'*10000");UID=user" -k
Segmentation fault

If it isn't characterized a security issue I'm sorry.

Thanks.

-- 
Regards,
Felipe Pena