tag 675058 -security severity 675058 normal thanks On Wed, May 30, 2012 at 09:34:34AM -0700, Steve Langasek wrote: > On Tue, May 29, 2012 at 06:40:35PM +0300, Henri Salo wrote: > > Package: unixodbc > > Version: 2.2.14p2-1 > > Severity: important > > Tags: security > > > From Felipe Pena in [oss-security] CVE id request: Multiple buffer overflow > > in unixODBC: > > """ > > Multiple buffer overflow in unixODBC > > =========================== > > > The library unixODBC doesn't check properly the input from FILEDSN=, > > DRIVER= options in the DSN, > > which causes buffer overflow when passed to the SQLDriverConnect() function. > > > The unixODBC maintainer has been notified about the issue. > > > Version affected > > ============ > > > FILEDSN= as of 2.0.10 > > DRIVER= as of 2.3.1 > > What makes this a security bug? What is the attack vector for tricking a > user into running an ODBC-enabled application with untrusted data in the > FILEDSN or DRIVER variables?
These are only triggerable by trusted input, so not a security issue. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org