'[oss-security] Re: CVE Request: DBD-Firebird: Buffer Overflow in dbdimp.c'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE Request: DBD-Firebird: Buffer Overflow in dbdimp.c
From:       cve-assign () mitre ! org
Date:       2015-03-30 15:57:53
Message-ID: 20150330155753.CC2B572E032 () smtpvbsrv1 ! mitre ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> A buffer overflow has been fixed in DBD-Firebird, a DBI driver for
> Firebird RDBMS server, in version 1.19:
> 
> https://metacpan.org/source/DAM/DBD-Firebird-1.19/Changes
> https://bugs.debian.org/780925

> https://bugs.debian.org/780925#3
> 
> I found a buffer overflow in dbdimp.c. Error messages in dbdimp.c use
> sprintf to a fix-sized buffer that (quite likely in two cases) might be
> too small to hold the final result.

Presumably this means there were three cases found by Stefan Roas but
the third wasn't exploitable. CVE-2015-2788 is for:

  - char err[80];
  - sprintf(err, "String truncation (SQL_VARYING): attempted to bind %lu octets to column sized \
%lu"

  - char err[80];
  - sprintf(err, "String truncation (SQL_TEXT): attempted to bind %lu octets to column sized \
%lu"

For the third one:

  - char err[80];
  - sprintf(err, "You have not provided a value for non-nullable parameter #%d.", i);

"You have not provided a value for non-nullable
parameter #-9223372036854775807.\0" is 80 characters.

Also, the scope of this CVE ID does not include any unreported or
later-reported buffer overflows found and fixed by Damyan Ivanov,
e.g., ones in the
https://anonscm.debian.org/cgit/pkg-perl/packages/libdbd-firebird-perl.git/commit/?id=63ba70750f8be99765e09fe5d032042eeea19807
 commit.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVGXHlAAoJEKllVAevmvms4lkIALk6dv6R5jtwI5rFkj08BV+i
NkrkeleIoRV2GwPeFcGpWesd5ID4LA4E0Erg2IhOTyqHqIC86YRsvWzy1M25r33u
cMIuLWuiYPHQuLFXPW6vymetbgP5d06FBd5PlZywMnyFvVXle1MyMFKc2KHEe4J9
E3kos6cAElzyPJFjtPy+LSoXpmi3AZGFOkrl4AqdbPNOE0grNjsIt3jUXVlA/VeJ
YVC5cmGkWUQgz4+nU3+oXgE+KuE4mJuGxQaCdwrrdG2Biy6tjeYmHU3aUUprCKcN
vUl4StUa02ci8MNzRG7helOU8mnCFz5vOQ2Zq4XY3PaUetX2CD8+4hil10LauU8=
=fxQK
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic