CVE-2018-7409

Debian Bug report logs - #891596
CVE-2018-7409

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Santiago R.R." <santiagorr@riseup.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2018-7409

Date: Mon, 26 Feb 2018 22:38:51 +0100

[Message part 1 (text/plain, inline)]

Source: unixodbc
Version: 2.3.4-1.1
Severity: grave
Tags: security

Hi,

the following vulnerability was published for unixodbc.

CVE-2018-7409[0]:
| In unixODBC before 2.3.5, there is a buffer overflow in the
| unicode_to_ansi_copy() function in DriverManager/__info.c.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-7409
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7409

Please adjust the affected versions in the BTS as needed.

[signature.asc (application/pgp-signature, inline)]

Message #12 received at 891596@bugs.debian.org (full text, mbox, reply):

From: Mattia Rizzolo <mattia@debian.org>

To: 422207@bugs.debian.org, 675058@bugs.debian.org, 888968@bugs.debian.org, 891596@bugs.debian.org, 893891@bugs.debian.org

Cc: Hugh McMaster <hugh.mcmaster@outlook.com>

Subject: unixodbc: diff for NMU version 2.3.6-0.1

Date: Wed, 9 May 2018 15:45:45 +0200

[Message part 1 (text/plain, inline)]

Dear maintainer,

I'm sponsoring an NMU prepered by Hugh McMaster (CCed) for unixodbc
(versioned as 2.3.6-0.1) and uploaded it to DELAYED/10.
Please feel free to tell me if I should delay it longer.

Attached you can find both the usual full debdiff, and a filtered diff
of only debian/.

Regards.


-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

[unixodbc-2.3.6-0.1-nmu.diff (text/x-diff, attachment)]

[debian.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 891596-close@bugs.debian.org (full text, mbox, reply):

From: Hugh McMaster <hugh.mcmaster@outlook.com>

To: 891596-close@bugs.debian.org

Subject: Bug#891596: fixed in unixodbc 2.3.6-0.1

Date: Sat, 19 May 2018 15:32:27 +0000

Source: unixodbc
Source-Version: 2.3.6-0.1

We believe that the bug you reported is fixed in the latest version of
unixodbc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 891596@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hugh McMaster <hugh.mcmaster@outlook.com> (supplier of updated unixodbc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 09 May 2018 21:53:53 +1000
Source: unixodbc
Binary: unixodbc libodbc1 unixodbc-dev odbcinst1debian2 odbcinst
Architecture: source
Version: 2.3.6-0.1
Distribution: unstable
Urgency: medium
Maintainer: Steve Langasek <vorlon@debian.org>
Changed-By: Hugh McMaster <hugh.mcmaster@outlook.com>
Description:
 libodbc1   - ODBC library for Unix
 odbcinst   - Helper program for accessing odbc ini files
 odbcinst1debian2 - Support library for accessing odbc ini files
 unixodbc   - Basic ODBC tools
 unixodbc-dev - ODBC libraries for UNIX (development files)
Closes: 422207 675058 888968 891596 893891
Changes:
 unixodbc (2.3.6-0.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * New upstream release (Closes: #888968).
     - Fix buffer overflow when calling unicode_to_ansi_copy() in
       DriverManager/SQLDriverConnectW.c (CVE-2018-7409) (Closes: #891596).
     - Package upstream manpages instead of Debian versions (Closes: #893891).
     - Fix potential buffer overflow vulnerabilities in SQLDriverConnect
       functions (CVE-2012-2657 and CVE-2012-2658) (Closes: #675058).
     - Install pkg-config files (Closes: #422207).
   * Switch to dpkg-source 3.0 (quilt) format.
   * Update debhelper package compatibility to level 11.
   * debian/changelog: Remove trailing whitespace.
   * debian/control:
     - Build-Depend on debhelper version 11.
     - Remove dh-autoreconf from the Build-Depends list.
     - Raise Standards-Version to 4.1.4 from 3.9.8 (no changes needed).
     - Remove the Vcs-fields until the package repository moves to Salsa.
     - Remove the deprecated Priority: extra field from unixodbc-dev.
     - Use the inherited Section field for libodbc1 and odbcinst1debian2.
     - Update package descriptions for odbcinst1debian2 and odbcinst.
     - Drop un-needed Conflicts field from unixodbc.
   * debian/copyright:
     - Use secure HTTP in the Format field.
     - Update Copyright information for unixODBC 2.3.6.
   * debian/docs:
      - Rename to unixodbc.docs.
   * debian/patches:
     - Convert unixodbc_2.3.4-1.1.diff into patches.
     - Add a patch to prevent __post_inernal_error() from being exported.
     - Add a patch to fix spelling errors in DRVConfig/txt/drvcfg.c.
     - Add a patch to fix spelling and formatting in odbcinst.ini.5.
     - Forward some patches upstream.
   * debian/rules:
     - Add 'hardening=+all' to DEB_BUILD_MAINT_OPTIONS.
     - Remove '--with autoreconf' (now handled by debhelper >= level 10).
     - Remove dh_auto_clean override.
     - Compile with the default CXXFLAGS options.
   * Add debian/watch file.
   * Remove a lintian override (symbols-file-contains-debian-revision).
   * Remove debian/clean (no longer needed).
   * Remove debian/odbcinst.postinst (no longer needed).
   * Remove debian/dirs: /usr/lib/odbc has been replaced by multi-arch paths.
Checksums-Sha1:
 edd5db2ec1b372ca6f2601ef2dd7913db07c815c 2002 unixodbc_2.3.6-0.1.dsc
 5d530fce155e78f6990b3c3063582c841e39b000 2083106 unixodbc_2.3.6.orig.tar.gz
 813e3c36c3b1319464b9b80531b93ae29e119647 17932 unixodbc_2.3.6-0.1.debian.tar.xz
 acf05ba957ac6c390bdbd2ff58d4266941529811 7842 unixodbc_2.3.6-0.1_amd64.buildinfo
Checksums-Sha256:
 fd2eab8f404d0fff154ded1c7b3608ee2f3a7016a2459ee9a72415018c03423c 2002 unixodbc_2.3.6-0.1.dsc
 c7a1327a756653088f1f2c8566cd25689703eeb904728d1d971c9b31ed1a94db 2083106 unixodbc_2.3.6.orig.tar.gz
 eb191a58b750e7ab3a8f0eca353fc90c4f82cdfefd99988623947b4120eda3e5 17932 unixodbc_2.3.6-0.1.debian.tar.xz
 1d9af568e5145a228414ab6d45205ee5635f43380ea40f676f42d4eea35f0094 7842 unixodbc_2.3.6-0.1_amd64.buildinfo
Files:
 08467be19e73a5ffd4efdc62ce1e6aac 2002 libs optional unixodbc_2.3.6-0.1.dsc
 7ea02b54c9134bd3611606c062787445 2083106 libs optional unixodbc_2.3.6.orig.tar.gz
 70519563095a0e58d59fae910511d77e 17932 libs optional unixodbc_2.3.6-0.1.debian.tar.xz
 377a883a27205ee725cd47c4b9cdd356 7842 libs optional unixodbc_2.3.6-0.1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAlry+qQACgkQCBa54Yx2
K61PmxAArKfHYlRkEKiGT0atvTI6I159LGiof490HsxTTziFpXiL3wrVx13LdXvc
SEEsdWM95p580EW40VO4ksXqio2Fe/7dHVNerfp4cE9tt8Ukufy147TU7KFgGMIE
p+Zmj0Oftv61kJX67k62+1PdMT/D1cJ7avISkX5GefRAzmV5RLNbQm7Yyr3XkF3y
NX+A3VyGE2+j+UtfS79DexVlvB2g/zR7t6ETm20OllOXqdyYCn/AwFHBtWn0yKjX
3br6jhP4o3Xnk7pDNVuh4Zn1pR/NOitVasNJG1kdkVYQk+nvhEWpHxaIqbPXHuWi
ZUqCnD50CHCyzcloLEobHJp6Oz91SCItzGb5wPioWv5CujYri+JKAjjwcvvCPxtM
AuLUpkzSM2I0zmHpLtps6s8N7zBV6kkX1GV2onCSdrEvqtMXtXo4EjxEgYifbbHG
KllyyfYN1vNdaii9LfSd6SBBMyMyI2RMPwRhUUzPEh9zFODIyhuX3MV1RmilQNzQ
bfvdDL1wXOrsQk2EHNSyWmPSyTksHFGBiuOIUgc4xElvWvke4dxRcMW8+bMx57eo
XVGhNGK5oxBGhTGZXkonZd3OIFyR+3wRL8EYLvEuc3o9CD/m2u/NTHE/pStld5QQ
7Yks/G3qopPw8yMfBv0kYooOSh9q2l1bDn4JI+DTDpOs1M24XGo=
=Qq04
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.