Your message dated Fri, 29 Jul 2011 08:05:14 -0400
with message-id
<camdxsegae5wtj2+cezs0d+udkxkhy7oc8ek33g8be36_9xt...@mail.gmail.com>
and subject line Re: Bug#635668: retraction and explanation
has caused the Debian Bug report #635668,
regarding libdbd-odbc-perl: package may be built with incorrect pointer size on
64-bit systems
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
635668: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635668
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libdbd-odbc-perl
Severity: grave
Tags: security
Justification: user security hole
Because of changes that Microsoft made to the ODBC specification, the previously
32-bit binary protocol now supports 64-bit values on systems that support it
(e.g.
on amd64 and possibly the ia64 architectures).
During build time, DBD::ODBC probes for a utility called odbc_config, which,
like
pkg-config, is intended to provide developers with the compiler flags used to
build
unixODBC itself. However, because this is not included with Debian's unixODBC
(it
is not installed into any of the unixodbc binary packages), it is not possible
to
tell whether the package should be compiled assuming 32-bit or 64-bit data
types.
When the odbc_config cannot be found (since it is not available in Debian), the
macro SIZEOF_LONG is not defined, so DBD::ODBC assumes that unixODBC was built
with 32-bit-long SQLLEN and SQLULEN.
This raises a potential security issue because unixODBC could write 64-bit
values
into buffers that are only 32-bits large (DBD::ODBC having provided 32-bit-long
buffers based on the assumption of SQLLEN and SQLULEN being 32-bits).
This issue is explained at length on the blog of the DBD::ODBC upstream
developer:
http://www.martin-evans.me.uk/node/116
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable'), (1, 'experimental'), (1,
'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Closing this bug report per the message below, no further action is
required here.
Cheers,
Jonathan
On Thu, Jul 28, 2011 at 9:58 AM, Martin J. Evans
<martin.ev...@easysoft.com> wrote:
> Jonathan Yu reported this issue on my behalf (so it is no reflection on him)
> after I was seeking someone to try and get unixODBC's odbc_config into
> Debian for the reason outlined above.
>
> I am not a debian user myself but I was sent header files reportedly from
> Ubuntu boxes which did not contain a unixodbc_conf.h and needed SIZEOF_LONG
> set to 8 else SQLLEN/SQLULEN was not 64 bit. These headers did not contain a
> define for BUILD_REAL_64_BIT_MODE either.
>
> With the help of more debian savvy people I located the lenny (oldstable)
> and squeeze (stable) headers and these are in fact correct because someone
> has added BUILD_REAL_64_BIT_MODE.
>
> As a result this does not seem to be a problem in debian as distributed in
> stable releases.
>
> However, please still consider adding odbc_config to unixODBC as it has
> other uses beyond locating --cflags.
>
> Martin
>
>
>
> _______________________________________________
> pkg-perl-maintainers mailing list
> pkg-perl-maintain...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-maintainers
>
--- End Message ---
