Package: libqt5sql5-odbc Version: 5.15.8+dfsg-11 Severity: important X-Debbugs-Cc: viktor.my...@insta.fi
Dear Maintainer, Changes introduced in patch CVE-2023-24607.diff break Unicode handling. I have tested this Microsoft ODBC driver for SQL Server 17 and 18, using a database from the Docker image 'mcr.microsoft.com/mssql/server:2019-latest'. The easiest way to reproduce the issue is by calling QSqlDatabase::tables(), which returns an empty list. Some other database actions work, but the ODBC log is filled with HY009 (Invalid use of null pointer) error messages. The same issue was also present in the package libqt6sql6-odbc (version 6.4.2+dfsg-10), which includes the same patch. Version 5.15.2+dfsg-9 on Bullseye works fine. The Qt GitHub repository 'qtbase' seems to include multiple Unicode-related commits that seem to address this issue. I suggest including such fixes as additional patches in the package. Additionally, it seems that the same CVE vulnerability is still present in Buster and Bullseye packages. Testing was done using Docker images dabian:bullseye-slim and debian:bookworm-slim. *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these template lines *** -- System Information: Debian Release: 12.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.15.90.1-microsoft-standard-WSL2 (SMP w/20 CPU threads) Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: unable to detect Versions of packages libqt5sql5-odbc depends on: ii libc6 2.36-9+deb12u3 ii libodbc2 2.3.11-2+deb12u1 ii libqt5core5a [qtbase-abi-5-15-8] 5.15.8+dfsg-11 ii libqt5sql5 5.15.8+dfsg-11 ii libstdc++6 12.2.0-14 libqt5sql5-odbc recommends no packages. libqt5sql5-odbc suggests no packages. -- no debconf information