This is an automated email from the git hooks/post-receive script.
dmn pushed a commit to branch master
in repository libdbd-firebird-perl.
commit 0416e0b26c8f8683382fb4d93b6fc343f5828f06
Author: Damyan Ivanov <d...@debian.org>
Date: Sun Mar 29 13:15:53 2015 +0000
Add patch from Stefan Roas fixing potential buffer overflow in certain
error conditions
Closes: #780925
---
debian/patches/dbdimp-780925-buf-overflow.patch | 72 +++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 73 insertions(+)
diff --git a/debian/patches/dbdimp-780925-buf-overflow.patch
b/debian/patches/dbdimp-780925-buf-overflow.patch
new file mode 100644
index 0000000..d1c91f9
--- /dev/null
+++ b/debian/patches/dbdimp-780925-buf-overflow.patch
@@ -0,0 +1,72 @@
+Bug-Debian: https://bugs.debian.org/780925
+Bug-Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/libdbd-firebird-perl/+bug/1431867
+Acked-By: Damyan Ivanov <d...@debian.org>
+From: Stefan Roas <stefan.r...@fau.de>
+Subject: [Dbd-firebird-devel] Buffer Overflow in dbdimp.c
+To: dbd-firebird-de...@lists.alioth.debian.org
+Date: Fri, 13 Mar 2015 17:36:31 +0100
+
+Hi there,
+
+I found a buffer overflow in dbdimp.c. Error messages in dbdimp.c use
+sprintf to a fix-sized buffer that (quite likely in two cases) might be
+too small to hold the final result.
+
+Attached you find a patch that solves the problem by increasing the size
+of the buffer to a value that should be large enough for every
+conceivable input given the conversion specification and additionally
+use snprintf() instead of sprintf(). As snprintf() is already used
+somewhere else in dbdimp.c I figure there are no portability issues
+involved.
+
+I did not check the other uses of sprintf, although it might be
+worthwhile to do so as a quick check found other locations where a
+fix-sized buffer is involved.
+
+Best regards,
+ Stefan
+
+--- a/dbdimp.c
++++ b/dbdimp.c
+@@ -21,6 +21,8 @@
+
+ DBISTATE_DECLARE;
+
++#define ERRBUFSIZE 255
++
+ #define IB_SQLtimeformat(xxh, format, sv) \
+ do { \
+ STRLEN len; \
+@@ -2237,8 +2239,8 @@ static int ib_fill_isqlda(SV *sth, imp_s
+ /*
+ * User passed an undef to a field that is not nullable.
+ */
+- char err[80];
+- sprintf(err, "You have not provided a value for non-nullable
parameter #%d.", i);
++ char err[ERRBUFSIZE];
++ snprintf(err, sizeof(err), "You have not provided a value for
non-nullable parameter #%d.", i);
+ do_error(sth, 1, err);
+ retval = FALSE;
+ return retval;
+@@ -2278,8 +2280,8 @@ static int ib_fill_isqlda(SV *sth, imp_s
+ string = SvPV(value, len);
+
+ if (len > ivar->sqllen) {
+- char err[80];
+- sprintf(err, "String truncation (SQL_VARYING): attempted to
bind %lu octets to column sized %lu",
++ char err[ERRBUFSIZE];
++ snprintf(err, sizeof(err), "String truncation (SQL_VARYING):
attempted to bind %lu octets to column sized %lu",
+ (long unsigned)len, (long unsigned)(sizeof(char) *
(ivar->sqllen)));
+ break;
+ }
+@@ -2301,8 +2303,8 @@ static int ib_fill_isqlda(SV *sth, imp_s
+ string = SvPV(value, len);
+
+ if (len > ivar->sqllen) {
+- char err[80];
+- sprintf(err, "String truncation (SQL_TEXT): attempted to bind
%lu octets to column sized %lu",
++ char err[ERRBUFSIZE];
++ snprintf(err, sizeof(err), "String truncation (SQL_TEXT):
attempted to bind %lu octets to column sized %lu",
+ (long unsigned)len, (long unsigned)(sizeof(char) *
(ivar->sqllen)));
+ break;
+ }
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..80f51d1
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+dbdimp-780925-buf-overflow.patch
--
Alioth's /usr/local/bin/git-commit-notice on
/srv/git.debian.org/git/pkg-perl/packages/libdbd-firebird-perl.git
_______________________________________________
Pkg-perl-cvs-commits mailing list
Pkg-perl-cvs-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits
