Debian Bug report logs -
#944012
freetds: CVE-2019-13508: Heap overflow in FreeTDS if UDT type is used with protocol 5.0
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 2 Nov 2019 20:03:01 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in versions freetds/1.1.6-1, freetds/1.00.104-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#944012; Package src:freetds.
(Sat, 02 Nov 2019 20:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Steve Langasek <vorlon@debian.org>.
(Sat, 02 Nov 2019 20:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: freetds
Version: 1.1.6-1
Severity: important
Tags: security upstream fixed-upstream
Control: found -1 1.00.104-1
Hi,
The following vulnerability was published for freetds.
CVE-2019-13508[0]:
| FreeTDS through 1.1.11 has a Buffer Overflow.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-13508
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13508
[1] https://github.com/FreeTDS/freetds/commit/0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac
[2] https://bugs.launchpad.net/bugs/1835896
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1736255
[4] https://bugzilla.novell.com/show_bug.cgi?id=1141132
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions freetds/1.00.104-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sat, 02 Nov 2019 20:03:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#944012; Package src:freetds.
(Wed, 06 Nov 2019 18:15:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list.
(Wed, 06 Nov 2019 18:15:07 GMT) (full text, mbox, link).
Message #12 received at 944012@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello,
On Sat, Nov 02, 2019 at 08:59:25PM +0100, Salvatore Bonaccorso wrote:
> Source: freetds
> Version: 1.1.6-1
> Severity: important
> Tags: security upstream fixed-upstream
> Control: found -1 1.00.104-1
> The following vulnerability was published for freetds.
> CVE-2019-13508[0]:
> | FreeTDS through 1.1.11 has a Buffer Overflow.
Where does this "1.1.11" number come from? I do not see any releases newer
than 1.1.6 upstream.
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2019-13508
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13508
> [1] https://github.com/FreeTDS/freetds/commit/0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac
> [2] https://bugs.launchpad.net/bugs/1835896
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=1736255
> [4] https://bugzilla.novell.com/show_bug.cgi?id=1141132
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer https://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#944012; Package src:freetds.
(Thu, 07 Nov 2019 06:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>.
(Thu, 07 Nov 2019 06:06:03 GMT) (full text, mbox, link).
Message #17 received at 944012@bugs.debian.org (full text, mbox, reply):
Hi Steve,
On Wed, Nov 06, 2019 at 10:10:23AM -0800, Steve Langasek wrote:
> Hello,
>
> On Sat, Nov 02, 2019 at 08:59:25PM +0100, Salvatore Bonaccorso wrote:
> > Source: freetds
> > Version: 1.1.6-1
> > Severity: important
> > Tags: security upstream fixed-upstream
> > Control: found -1 1.00.104-1
>
> > The following vulnerability was published for freetds.
>
> > CVE-2019-13508[0]:
> > | FreeTDS through 1.1.11 has a Buffer Overflow.
>
> Where does this "1.1.11" number come from? I do not see any releases newer
> than 1.1.6 upstream.
The CVE assignment was acknowledged by upstream in the launchpad bug
1835896. MITRE descriptions in any case should not be trusted 1-1 and
in this case it even was very mimimalistic. In any case the fix is the
upstream commit 0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac in the git
repository on github. But I notice on
https://www.freetds.org/software.html that the current stable version
should be 1.1.20 and the respective commits there while they are on
the master branch the releases seem not tagged.
Does this helps?
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Nov 8 19:46:48 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon