Bug#780925: marked as done (DBD-Firebird: CVE-2015-2788: Buffer Overflow in dbdimp.c)

Wed, 01 Apr 2015 02:51:43 -0700 

Your message dated Wed, 01 Apr 2015 09:49:39 +0000
with message-id <[email protected]>
and subject line Bug#780925: fixed in libdbd-firebird-perl 1.18-2
has caused the Debian Bug report #780925,
regarding DBD-Firebird: CVE-2015-2788: Buffer Overflow in dbdimp.c
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
780925: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780925
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: libdbd-firebird-perl
Version: 0.91-2
Severity: grave
Tags: security upstream patch
X-Debbugs-CC: [email protected]

Filing as a bug report.

----- Forwarded message from Stefan Roas <[email protected]> -----

From: Stefan Roas <[email protected]>
Subject: [Dbd-firebird-devel] Buffer Overflow in dbdimp.c
To: [email protected]
Date: Fri, 13 Mar 2015 17:36:31 +0100

Hi there,

I found a buffer overflow in dbdimp.c. Error messages in dbdimp.c use
sprintf to a fix-sized buffer that (quite likely in two cases) might be
too small to hold the final result.

Attached you find a patch that solves the problem by increasing the size
of the buffer to a value that should be large enough for every
conceivable input given the conversion specification and additionally
use snprintf() instead of sprintf(). As snprintf() is already used
somewhere else in dbdimp.c I figure there are no portability issues
involved.

I did not check the other uses of sprintf, although it might be
worthwhile to do so as a quick check found other locations where a
fix-sized buffer is involved.

Best regards,
  Stefan

-- 
Stefan Roas, Datenbanken und studentische Vefahren
Friedrich-Alexander-Universität Erlangen-Nürnberg
Regionales Rechenzentrum Erlangen (RRZE)
Hugenottenplatz 1A, 91054 Erlangen, Deutschland
Tel.: +49 9131 85-29018
Fax : +49 9131 85-25777
[email protected]
http://www.rrze.fau.de


diff --git a/dbdimp.c b/dbdimp.c
index d985368..dbdf8e3 100644
--- a/dbdimp.c
+++ b/dbdimp.c
@@ -21,6 +21,8 @@
 
 DBISTATE_DECLARE;
 
+#define ERRBUFSIZE  255
+
 #define IB_SQLtimeformat(xxh, format, sv)                             \
 do {                                                                  \
     STRLEN len;                                                       \
@@ -2237,8 +2239,8 @@ static int ib_fill_isqlda(SV *sth, imp_sth_t *imp_sth, SV 
*param, SV *value,
             /*
             * User passed an undef to a field that is not nullable.
             */
-            char err[80];
-            sprintf(err, "You have not provided a value for non-nullable 
parameter #%d.", i);
+            char err[ERRBUFSIZE];
+            snprintf(err, sizeof(err), "You have not provided a value for 
non-nullable parameter #%d.", i);
             do_error(sth, 1, err);
             retval = FALSE;
             return retval;
@@ -2278,8 +2280,8 @@ static int ib_fill_isqlda(SV *sth, imp_sth_t *imp_sth, SV 
*param, SV *value,
             string = SvPV(value, len);
 
             if (len > ivar->sqllen) {
-                char err[80];
-                sprintf(err, "String truncation (SQL_VARYING): attempted to 
bind %lu octets to column sized %lu",
+                char err[ERRBUFSIZE];
+                snprintf(err, sizeof(err), "String truncation (SQL_VARYING): 
attempted to bind %lu octets to column sized %lu",
                         (long unsigned)len, (long unsigned)(sizeof(char) * 
(ivar->sqllen)));
                 break;
             }
@@ -2301,8 +2303,8 @@ static int ib_fill_isqlda(SV *sth, imp_sth_t *imp_sth, SV 
*param, SV *value,
             string = SvPV(value, len);
 
             if (len > ivar->sqllen) {
-                char err[80];
-                sprintf(err, "String truncation (SQL_TEXT): attempted to bind 
%lu octets to column sized %lu",
+                char err[ERRBUFSIZE];
+                snprintf(err, sizeof(err), "String truncation (SQL_TEXT): 
attempted to bind %lu octets to column sized %lu",
                         (long unsigned)len, (long unsigned)(sizeof(char) * 
(ivar->sqllen)));
                 break;
             }


----- End forwarded message -----

--- End Message ---
--- Begin Message --- 
Source: libdbd-firebird-perl
Source-Version: 1.18-2

We believe that the bug you reported is fixed in the latest version of
libdbd-firebird-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Damyan Ivanov <[email protected]> (supplier of updated libdbd-firebird-perl 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 01 Apr 2015 08:43:03 +0000
Source: libdbd-firebird-perl
Binary: libdbd-firebird-perl
Architecture: source amd64
Version: 1.18-2
Distribution: unstable
Urgency: high
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Damyan Ivanov <[email protected]>
Description:
 libdbd-firebird-perl - Perl DBI driver for Firebird RDBMS server
Closes: 780925
Changes:
 libdbd-firebird-perl (1.18-2) unstable; urgency=high
 .
   * High urgency for security fixes
 .
   [ Salvatore Bonaccorso ]
   * Update Vcs-Browser URL to cgit web frontend
 .
   [ Damyan Ivanov ]
   * Add patch from Stefan Roas fixing potential buffer overflow in certain
     error conditions (CVE-2015-2788)
     (Closes: #780925)
   * add patch from upstream Git replacing all sprintf usage with snprintf
Checksums-Sha1:
 88c0a0854601538a410c2bb20a1f61c3c269a14d 2185 libdbd-firebird-perl_1.18-2.dsc
 3d64baa894b11705713286f499feacc36d6c6f3e 5952 
libdbd-firebird-perl_1.18-2.debian.tar.xz
Checksums-Sha256:
 943cc75a3da084d653d6fa5821ab3506172eb66cde36547d2200895f7690e483 2185 
libdbd-firebird-perl_1.18-2.dsc
 05155f703ae7ba9fcea3d05787458df33eb629eea260812b16b5024472ba0dda 5952 
libdbd-firebird-perl_1.18-2.debian.tar.xz
Files:
 6697648a1d9d99f1c6218f74e3728769 2185 perl optional 
libdbd-firebird-perl_1.18-2.dsc
 c3f41c4129287387b2dea6f12efb00f4 5952 perl optional 
libdbd-firebird-perl_1.18-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVG7KlAAoJENu+nU2Z0qAEGH4P/2oE+S2mn8xjjYIpEom0L6TQ
4l0itlPMVpahmvNGsMow5iBQjCmAho3gSdgluYebfXT8lVa0Sc102aDLSxTTmXNe
omJUyWfvE2ShkAfo0uo0U7oxBPmpzGUOX2Z4WC5JsEAe8DFhe2cNW87etMxPbaez
ek6m/TGKlmLlX5xHy6Di8ISlT5Rxfma4co7mHR+Lspw/XKNzMWgNBQM8pqzd460j
OGeLDwVRN6NhS3QrIMjLjdkkfC+Bghb2M43NTRQ+w7Fga0ryEdW5/bQFJioLJatn
6nybE6H4COquq7drfXG03PVGdbvkeK6dEjrJHVWBV4EIC5ac1y+riwiUoEpMWWoH
HpSaoFqAhgB5cYIXsTe9uiKcVea1/WaMDdzQzsVKOHeqF+iLFHWVvccwslrtUOyK
1CVo7vROFi/3+EAPb1qBmbkKaBMtDn5W7+yzawatXbda5oW/ehVNVIcCZcoKz1Qc
JSeHgtYUP9oMRj6U7pw6yYPTdM4m3sn2ovS8gd/rtVn7xC8r35tiwTtkWZubO9dX
HoSewAYH3bTNrzraI3v7hngcOmf6vYAdiW+WN/jeVKUmUdq/nKb/K/Wc0nGbX9YX
iwMHLxRuOLvCWnmYiZ4Xay37uguB1NxStwxtzdasY+mJoIhTQVcI3iHfwgqOVHvj
HLR4NQf1azntHdZAL9iV
=v2Ou
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to