Debian Bug report logs -
#780925
DBD-Firebird: CVE-2015-2788: Buffer Overflow in dbdimp.c
Reported by: Damyan Ivanov <dmn@debian.org>
Date: Sat, 21 Mar 2015 21:27:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version libdbd-firebird-perl/0.91-2
Fixed in version libdbd-firebird-perl/1.18-2
Done: Damyan Ivanov <dmn@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, security@debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#780925; Package libdbd-firebird-perl.
(Sat, 21 Mar 2015 21:27:06 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libdbd-firebird-perl
Version: 0.91-2
Severity: grave
Tags: security upstream patch
X-Debbugs-CC: security@debian.org
Filing as a bug report.
----- Forwarded message from Stefan Roas <stefan.roas@fau.de> -----
From: Stefan Roas <stefan.roas@fau.de>
Subject: [Dbd-firebird-devel] Buffer Overflow in dbdimp.c
To: dbd-firebird-devel@lists.alioth.debian.org
Date: Fri, 13 Mar 2015 17:36:31 +0100
Hi there,
I found a buffer overflow in dbdimp.c. Error messages in dbdimp.c use
sprintf to a fix-sized buffer that (quite likely in two cases) might be
too small to hold the final result.
Attached you find a patch that solves the problem by increasing the size
of the buffer to a value that should be large enough for every
conceivable input given the conversion specification and additionally
use snprintf() instead of sprintf(). As snprintf() is already used
somewhere else in dbdimp.c I figure there are no portability issues
involved.
I did not check the other uses of sprintf, although it might be
worthwhile to do so as a quick check found other locations where a
fix-sized buffer is involved.
Best regards,
Stefan
--
Stefan Roas, Datenbanken und studentische Vefahren
Friedrich-Alexander-Universität Erlangen-Nürnberg
Regionales Rechenzentrum Erlangen (RRZE)
Hugenottenplatz 1A, 91054 Erlangen, Deutschland
Tel.: +49 9131 85-29018
Fax : +49 9131 85-25777
stefan.roas@fau.de
http://www.rrze.fau.de
diff --git a/dbdimp.c b/dbdimp.c
index d985368..dbdf8e3 100644
--- a/dbdimp.c
+++ b/dbdimp.c
@@ -21,6 +21,8 @@
DBISTATE_DECLARE;
+#define ERRBUFSIZE 255
+
#define IB_SQLtimeformat(xxh, format, sv) \
do { \
STRLEN len; \
@@ -2237,8 +2239,8 @@ static int ib_fill_isqlda(SV *sth, imp_sth_t *imp_sth, SV *param, SV *value,
/*
* User passed an undef to a field that is not nullable.
*/
- char err[80];
- sprintf(err, "You have not provided a value for non-nullable parameter #%d.", i);
+ char err[ERRBUFSIZE];
+ snprintf(err, sizeof(err), "You have not provided a value for non-nullable parameter #%d.", i);
do_error(sth, 1, err);
retval = FALSE;
return retval;
@@ -2278,8 +2280,8 @@ static int ib_fill_isqlda(SV *sth, imp_sth_t *imp_sth, SV *param, SV *value,
string = SvPV(value, len);
if (len > ivar->sqllen) {
- char err[80];
- sprintf(err, "String truncation (SQL_VARYING): attempted to bind %lu octets to column sized %lu",
+ char err[ERRBUFSIZE];
+ snprintf(err, sizeof(err), "String truncation (SQL_VARYING): attempted to bind %lu octets to column sized %lu",
(long unsigned)len, (long unsigned)(sizeof(char) * (ivar->sqllen)));
break;
}
@@ -2301,8 +2303,8 @@ static int ib_fill_isqlda(SV *sth, imp_sth_t *imp_sth, SV *param, SV *value,
string = SvPV(value, len);
if (len > ivar->sqllen) {
- char err[80];
- sprintf(err, "String truncation (SQL_TEXT): attempted to bind %lu octets to column sized %lu",
+ char err[ERRBUFSIZE];
+ snprintf(err, sizeof(err), "String truncation (SQL_TEXT): attempted to bind %lu octets to column sized %lu",
(long unsigned)len, (long unsigned)(sizeof(char) * (ivar->sqllen)));
break;
}
----- End forwarded message -----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#780925; Package libdbd-firebird-perl.
(Sun, 29 Mar 2015 13:33:21 GMT) (full text, mbox, link).
Message #6 received at 780925@bugs.debian.org (full text, mbox, reply):
-=| Damyan Ivanov, 21.03.2015 21:23:06 +0000 |=-
> Package: libdbd-firebird-perl
> Version: 0.91-2
> Severity: grave
> Tags: security upstream patch
I have committed the patch in packaging Git¹. I have also committed
another patch that replaces all sprintf() usage with snprintf(). Both
patches were applied and released upstream (by me).
¹ https://anonscm.debian.org/cgit/pkg-perl/packages/libdbd-firebird-perl.git/log/
To avoid some mistake doe to too much self-confidence, I'd appreciate
if others could take a look and state their opinion on whether this is
suitable for jessie (and perhaps wheezy).
TIA,
dam
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#780925; Package libdbd-firebird-perl.
(Mon, 30 Mar 2015 17:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Mon, 30 Mar 2015 17:45:04 GMT) (full text, mbox, link).
Message #11 received at 780925@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 DBD-Firebird: CVE-2015-2788: Buffer Overflow in dbdimp.c
Hi Damyan,
See http://www.openwall.com/lists/oss-security/2015/03/30/10
Regards,
Salvatore
Changed Bug title to 'DBD-Firebird: CVE-2015-2788: Buffer Overflow in dbdimp.c' from 'DBD-Firebird: Buffer Overflow in dbdimp.c'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 780925-submit@bugs.debian.org.
(Mon, 30 Mar 2015 17:45:04 GMT) (full text, mbox, link).
Reply sent
to Damyan Ivanov <dmn@debian.org>:
You have taken responsibility.
(Wed, 01 Apr 2015 09:51:05 GMT) (full text, mbox, link).
Notification sent
to Damyan Ivanov <dmn@debian.org>:
Bug acknowledged by developer.
(Wed, 01 Apr 2015 09:51:05 GMT) (full text, mbox, link).
Message #18 received at 780925-close@bugs.debian.org (full text, mbox, reply):
Source: libdbd-firebird-perl
Source-Version: 1.18-2
We believe that the bug you reported is fixed in the latest version of
libdbd-firebird-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 780925@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Damyan Ivanov <dmn@debian.org> (supplier of updated libdbd-firebird-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 01 Apr 2015 08:43:03 +0000
Source: libdbd-firebird-perl
Binary: libdbd-firebird-perl
Architecture: source amd64
Version: 1.18-2
Distribution: unstable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Damyan Ivanov <dmn@debian.org>
Description:
libdbd-firebird-perl - Perl DBI driver for Firebird RDBMS server
Closes: 780925
Changes:
libdbd-firebird-perl (1.18-2) unstable; urgency=high
.
* High urgency for security fixes
.
[ Salvatore Bonaccorso ]
* Update Vcs-Browser URL to cgit web frontend
.
[ Damyan Ivanov ]
* Add patch from Stefan Roas fixing potential buffer overflow in certain
error conditions (CVE-2015-2788)
(Closes: #780925)
* add patch from upstream Git replacing all sprintf usage with snprintf
Checksums-Sha1:
88c0a0854601538a410c2bb20a1f61c3c269a14d 2185 libdbd-firebird-perl_1.18-2.dsc
3d64baa894b11705713286f499feacc36d6c6f3e 5952 libdbd-firebird-perl_1.18-2.debian.tar.xz
Checksums-Sha256:
943cc75a3da084d653d6fa5821ab3506172eb66cde36547d2200895f7690e483 2185 libdbd-firebird-perl_1.18-2.dsc
05155f703ae7ba9fcea3d05787458df33eb629eea260812b16b5024472ba0dda 5952 libdbd-firebird-perl_1.18-2.debian.tar.xz
Files:
6697648a1d9d99f1c6218f74e3728769 2185 perl optional libdbd-firebird-perl_1.18-2.dsc
c3f41c4129287387b2dea6f12efb00f4 5952 perl optional libdbd-firebird-perl_1.18-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVG7KlAAoJENu+nU2Z0qAEGH4P/2oE+S2mn8xjjYIpEom0L6TQ
4l0itlPMVpahmvNGsMow5iBQjCmAho3gSdgluYebfXT8lVa0Sc102aDLSxTTmXNe
omJUyWfvE2ShkAfo0uo0U7oxBPmpzGUOX2Z4WC5JsEAe8DFhe2cNW87etMxPbaez
ek6m/TGKlmLlX5xHy6Di8ISlT5Rxfma4co7mHR+Lspw/XKNzMWgNBQM8pqzd460j
OGeLDwVRN6NhS3QrIMjLjdkkfC+Bghb2M43NTRQ+w7Fga0ryEdW5/bQFJioLJatn
6nybE6H4COquq7drfXG03PVGdbvkeK6dEjrJHVWBV4EIC5ac1y+riwiUoEpMWWoH
HpSaoFqAhgB5cYIXsTe9uiKcVea1/WaMDdzQzsVKOHeqF+iLFHWVvccwslrtUOyK
1CVo7vROFi/3+EAPb1qBmbkKaBMtDn5W7+yzawatXbda5oW/ehVNVIcCZcoKz1Qc
JSeHgtYUP9oMRj6U7pw6yYPTdM4m3sn2ovS8gd/rtVn7xC8r35tiwTtkWZubO9dX
HoSewAYH3bTNrzraI3v7hngcOmf6vYAdiW+WN/jeVKUmUdq/nKb/K/Wc0nGbX9YX
iwMHLxRuOLvCWnmYiZ4Xay37uguB1NxStwxtzdasY+mJoIhTQVcI3iHfwgqOVHvj
HLR4NQf1azntHdZAL9iV
=v2Ou
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 May 2015 07:40:14 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:15:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon