[libdbd-firebird-perl] 01/02: Fix potential buffer overflow as per CVE-2015-2788
Alessandro Ghedini
ghedo at moszumanska.debian.org
Wed Apr 8 22:34:27 UTC 2015
This is an automated email from the git hooks/post-receive script.
ghedo pushed a commit to branch wheezy
in repository libdbd-firebird-perl.
commit 714ec1bbfc3d713352c964b77d73e843738cd7c1
Author: Alessandro Ghedini <alessandro at ghedini.me>
Date: Mon Apr 6 17:26:29 2015 +0200
Fix potential buffer overflow as per CVE-2015-2788
Closes: #780925
---
debian/patches/CVE-2015-2788.patch | 85 ++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 86 insertions(+)
diff --git a/debian/patches/CVE-2015-2788.patch b/debian/patches/CVE-2015-2788.patch
new file mode 100644
index 0000000..734f19c
--- /dev/null
+++ b/debian/patches/CVE-2015-2788.patch
@@ -0,0 +1,85 @@
+From a51b14d4729c24033d126ae68413ab4ab45676d6 Mon Sep 17 00:00:00 2001
+From: Stefan Roas <stefan.roas at fau.de>
+Date: Fri, 13 Mar 2015 17:36:31 +0100
+Subject: [PATCH] Buffer Overflow in dbdimp.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Hi there,
+
+I found a buffer overflow in dbdimp.c. Error messages in dbdimp.c use
+sprintf to a fix-sized buffer that (quite likely in two cases) might be
+too small to hold the final result.
+
+Attached you find a patch that solves the problem by increasing the size
+of the buffer to a value that should be large enough for every
+conceivable input given the conversion specification and additionally
+use snprintf() instead of sprintf(). As snprintf() is already used
+somewhere else in dbdimp.c I figure there are no portability issues
+involved.
+
+I did not check the other uses of sprintf, although it might be
+worthwhile to do so as a quick check found other locations where a
+fix-sized buffer is involved.
+
+Best regards,
+ Stefan
+
+--
+Stefan Roas, Datenbanken und studentische Vefahren
+Friedrich-Alexander-Universität Erlangen-Nürnberg
+Regionales Rechenzentrum Erlangen (RRZE)
+Hugenottenplatz 1A, 91054 Erlangen, Deutschland
+Tel.: +49 9131 85-29018
+Fax : +49 9131 85-25777
+stefan.roas at fau.de
+http://www.rrze.fau.de
+---
+ dbdimp.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/dbdimp.c
++++ b/dbdimp.c
+@@ -18,6 +18,8 @@
+
+ DBISTATE_DECLARE;
+
++#define ERRBUFSIZE 255
++
+ #define IB_SQLtimeformat(xxh, format, sv) \
+ do { \
+ STRLEN len; \
+@@ -2187,8 +2189,8 @@
+ /*
+ * User passed an undef to a field that is not nullable.
+ */
+- char err[80];
+- sprintf(err, "You have not provided a value for non-nullable parameter #%d.", i);
++ char err[ERRBUFSIZE];
++ snprintf(err, sizeof(err), "You have not provided a value for non-nullable parameter #%d.", i);
+ do_error(sth, 1, err);
+ retval = FALSE;
+ return retval;
+@@ -2227,8 +2229,8 @@
+ else encoded = (U8*)string;
+
+ if (len > ivar->sqllen) {
+- char err[80];
+- sprintf(err, "String truncation (SQL_VARYING): attempted to bind %lu octets to column sized %lu",
++ char err[ERRBUFSIZE];
++ snprintf(err, sizeof(err), "String truncation (SQL_VARYING): attempted to bind %lu octets to column sized %lu",
+ (long unsigned)len, (long unsigned)(sizeof(char) * (ivar->sqllen)));
+ break;
+ }
+@@ -2262,8 +2264,8 @@
+ else encoded = (U8*)string;
+
+ if (len > ivar->sqllen) {
+- char err[80];
+- sprintf(err, "String truncation (SQL_TEXT): attempted to bind %lu octets to column sized %lu",
++ char err[ERRBUFSIZE];
++ snprintf(err, sizeof(err), "String truncation (SQL_TEXT): attempted to bind %lu octets to column sized %lu",
+ (long unsigned)len, (long unsigned)(sizeof(char) * (ivar->sqllen)));
+ break;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index fb8ceb2..35ccd6f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
git/skip-event-tests.patch
+CVE-2015-2788.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libdbd-firebird-perl.git
More information about the Pkg-perl-cvs-commits
mailing list