This is an automated email from the git hooks/post-receive script. ghedo pushed a commit to branch wheezy in repository libdbd-firebird-perl.
commit 714ec1bbfc3d713352c964b77d73e843738cd7c1 Author: Alessandro Ghedini <alessan...@ghedini.me> Date: Mon Apr 6 17:26:29 2015 +0200 Fix potential buffer overflow as per CVE-2015-2788 Closes: #780925 --- debian/patches/CVE-2015-2788.patch | 85 ++++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 86 insertions(+) diff --git a/debian/patches/CVE-2015-2788.patch b/debian/patches/CVE-2015-2788.patch new file mode 100644 index 0000000..734f19c --- /dev/null +++ b/debian/patches/CVE-2015-2788.patch @@ -0,0 +1,85 @@ +From a51b14d4729c24033d126ae68413ab4ab45676d6 Mon Sep 17 00:00:00 2001 +From: Stefan Roas <stefan.r...@fau.de> +Date: Fri, 13 Mar 2015 17:36:31 +0100 +Subject: [PATCH] Buffer Overflow in dbdimp.c +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Hi there, + +I found a buffer overflow in dbdimp.c. Error messages in dbdimp.c use +sprintf to a fix-sized buffer that (quite likely in two cases) might be +too small to hold the final result. + +Attached you find a patch that solves the problem by increasing the size +of the buffer to a value that should be large enough for every +conceivable input given the conversion specification and additionally +use snprintf() instead of sprintf(). As snprintf() is already used +somewhere else in dbdimp.c I figure there are no portability issues +involved. + +I did not check the other uses of sprintf, although it might be +worthwhile to do so as a quick check found other locations where a +fix-sized buffer is involved. + +Best regards, + Stefan + +-- +Stefan Roas, Datenbanken und studentische Vefahren +Friedrich-Alexander-Universität Erlangen-Nürnberg +Regionales Rechenzentrum Erlangen (RRZE) +Hugenottenplatz 1A, 91054 Erlangen, Deutschland +Tel.: +49 9131 85-29018 +Fax : +49 9131 85-25777 +stefan.r...@fau.de +http://www.rrze.fau.de +--- + dbdimp.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/dbdimp.c ++++ b/dbdimp.c +@@ -18,6 +18,8 @@ + + DBISTATE_DECLARE; + ++#define ERRBUFSIZE 255 ++ + #define IB_SQLtimeformat(xxh, format, sv) \ + do { \ + STRLEN len; \ +@@ -2187,8 +2189,8 @@ + /* + * User passed an undef to a field that is not nullable. + */ +- char err[80]; +- sprintf(err, "You have not provided a value for non-nullable parameter #%d.", i); ++ char err[ERRBUFSIZE]; ++ snprintf(err, sizeof(err), "You have not provided a value for non-nullable parameter #%d.", i); + do_error(sth, 1, err); + retval = FALSE; + return retval; +@@ -2227,8 +2229,8 @@ + else encoded = (U8*)string; + + if (len > ivar->sqllen) { +- char err[80]; +- sprintf(err, "String truncation (SQL_VARYING): attempted to bind %lu octets to column sized %lu", ++ char err[ERRBUFSIZE]; ++ snprintf(err, sizeof(err), "String truncation (SQL_VARYING): attempted to bind %lu octets to column sized %lu", + (long unsigned)len, (long unsigned)(sizeof(char) * (ivar->sqllen))); + break; + } +@@ -2262,8 +2264,8 @@ + else encoded = (U8*)string; + + if (len > ivar->sqllen) { +- char err[80]; +- sprintf(err, "String truncation (SQL_TEXT): attempted to bind %lu octets to column sized %lu", ++ char err[ERRBUFSIZE]; ++ snprintf(err, sizeof(err), "String truncation (SQL_TEXT): attempted to bind %lu octets to column sized %lu", + (long unsigned)len, (long unsigned)(sizeof(char) * (ivar->sqllen))); + break; + } diff --git a/debian/patches/series b/debian/patches/series index fb8ceb2..35ccd6f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ git/skip-event-tests.patch +CVE-2015-2788.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libdbd-firebird-perl.git _______________________________________________ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits