Bugzilla – Bug 678796
VUL-1: CVE-2011-1145: unixODBC: buffer overflow in SQLDriverConnect()
Last modified: 2022-08-01 09:25:30 UTC
Your friendly security team received the following report via oss-security. Please respond ASAP. The issue is public. CVE-2011-1145 ------------------------------------------------------------------------------ Date: Wed, 9 Mar 2011 14:18:10 -0300 From: Felipe Pena <felipensp@gmail.com> Subject: [oss-security] CVE request: buffer overflow in unixODBC's SQLDriverConnect() Hi, Please assign CVE id for a possible buffer overflow in unixODBC's SQLDriverConnect() function by specifying a large value for SAVEFILE parameter in the connection string. A fix has been committed in the SVN addressing the issue: http://unixodbc.svn.sourceforge.net/viewvc/unixodbc/trunk/DriverManager/SQLDriverConnect.c?r1=23&r2=27 Thanks. -- Regards, Felipe Pena
The SWAMPID for this issue is 39347. This issue was rated as moderate. Please submit fixed packages until 2011-03-28. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Just submitted the last fix. You are right, after deeper digging it looks like although it uses same code, unixODBC-gui-qt isn't affected. Revoked related updates and fixes should be ready for all distributions. Request ids are following: OBS: * 73423 * 73425 * 73427 * 73428 * 73429 * 73430 * 73431 * 73432 IBS: * 12701 * 12703 * 12733
Update released for: unixODBC, unixODBC-debuginfo, unixODBC-debugsource, unixODBC-devel Products: openSUSE 11.3 (debug, i586, x86_64) openSUSE 11.4 (debug, i586, x86_64)
This is an autogenerated message for OBS integration: This bug (678796) was mentioned in https://build.opensuse.org/request/show/74091 Evergreen:11.1 / unixODBC
was checked in but not released due to very low severity. will be include in any future update.