This is an automated email from the git hooks/post-receive script. dmn pushed a commit to branch master in repository libdbd-firebird-perl.
commit 0416e0b26c8f8683382fb4d93b6fc343f5828f06 Author: Damyan Ivanov <d...@debian.org> Date: Sun Mar 29 13:15:53 2015 +0000 Add patch from Stefan Roas fixing potential buffer overflow in certain error conditions Closes: #780925 --- debian/patches/dbdimp-780925-buf-overflow.patch | 72 +++++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 73 insertions(+) diff --git a/debian/patches/dbdimp-780925-buf-overflow.patch b/debian/patches/dbdimp-780925-buf-overflow.patch new file mode 100644 index 0000000..d1c91f9 --- /dev/null +++ b/debian/patches/dbdimp-780925-buf-overflow.patch @@ -0,0 +1,72 @@ +Bug-Debian: https://bugs.debian.org/780925 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libdbd-firebird-perl/+bug/1431867 +Acked-By: Damyan Ivanov <d...@debian.org> +From: Stefan Roas <stefan.r...@fau.de> +Subject: [Dbd-firebird-devel] Buffer Overflow in dbdimp.c +To: dbd-firebird-de...@lists.alioth.debian.org +Date: Fri, 13 Mar 2015 17:36:31 +0100 + +Hi there, + +I found a buffer overflow in dbdimp.c. Error messages in dbdimp.c use +sprintf to a fix-sized buffer that (quite likely in two cases) might be +too small to hold the final result. + +Attached you find a patch that solves the problem by increasing the size +of the buffer to a value that should be large enough for every +conceivable input given the conversion specification and additionally +use snprintf() instead of sprintf(). As snprintf() is already used +somewhere else in dbdimp.c I figure there are no portability issues +involved. + +I did not check the other uses of sprintf, although it might be +worthwhile to do so as a quick check found other locations where a +fix-sized buffer is involved. + +Best regards, + Stefan + +--- a/dbdimp.c ++++ b/dbdimp.c +@@ -21,6 +21,8 @@ + + DBISTATE_DECLARE; + ++#define ERRBUFSIZE 255 ++ + #define IB_SQLtimeformat(xxh, format, sv) \ + do { \ + STRLEN len; \ +@@ -2237,8 +2239,8 @@ static int ib_fill_isqlda(SV *sth, imp_s + /* + * User passed an undef to a field that is not nullable. + */ +- char err[80]; +- sprintf(err, "You have not provided a value for non-nullable parameter #%d.", i); ++ char err[ERRBUFSIZE]; ++ snprintf(err, sizeof(err), "You have not provided a value for non-nullable parameter #%d.", i); + do_error(sth, 1, err); + retval = FALSE; + return retval; +@@ -2278,8 +2280,8 @@ static int ib_fill_isqlda(SV *sth, imp_s + string = SvPV(value, len); + + if (len > ivar->sqllen) { +- char err[80]; +- sprintf(err, "String truncation (SQL_VARYING): attempted to bind %lu octets to column sized %lu", ++ char err[ERRBUFSIZE]; ++ snprintf(err, sizeof(err), "String truncation (SQL_VARYING): attempted to bind %lu octets to column sized %lu", + (long unsigned)len, (long unsigned)(sizeof(char) * (ivar->sqllen))); + break; + } +@@ -2301,8 +2303,8 @@ static int ib_fill_isqlda(SV *sth, imp_s + string = SvPV(value, len); + + if (len > ivar->sqllen) { +- char err[80]; +- sprintf(err, "String truncation (SQL_TEXT): attempted to bind %lu octets to column sized %lu", ++ char err[ERRBUFSIZE]; ++ snprintf(err, sizeof(err), "String truncation (SQL_TEXT): attempted to bind %lu octets to column sized %lu", + (long unsigned)len, (long unsigned)(sizeof(char) * (ivar->sqllen))); + break; + } diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..80f51d1 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +dbdimp-780925-buf-overflow.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libdbd-firebird-perl.git _______________________________________________ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits