Heap overflow if UDT type is used with protocol 5.0
Bug #1835896 reported by
Frediano Ziglio
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
freetds (Ubuntu) |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Bionic |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Disco |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Eoan |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Focal |
Fix Released
|
Medium
|
Marc Deslauriers |
Bug Description
Description of problem:
A malicious server could cause heap overflow.
This can happens if server cause a downgrade to protocol 5.0 and send a UDT type.
This does not apply to a specific Ubuntu version. FreeTDS version from 0.95 are affected so all versions distributed with recent Ubuntu.
How reproducible:
You need to write a malicious server doing downgrade and sending the UDT type.
Actual results:
Heap overflow
Expected results:
Type handled correctly or disconnection due to invalid protocol.
Additional info:
This was reported by Felix Wilhelm from the Google Security Team.
This is fixed by https:/
CVE References
Changed in freetds (Ubuntu Bionic): | |
status: | New → Confirmed |
Changed in freetds (Ubuntu Disco): | |
status: | New → Confirmed |
Changed in freetds (Ubuntu Eoan): | |
status: | New → Confirmed |
Changed in freetds (Ubuntu Focal): | |
status: | New → Confirmed |
Changed in freetds (Ubuntu Bionic): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in freetds (Ubuntu Disco): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in freetds (Ubuntu Eoan): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in freetds (Ubuntu Focal): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in freetds (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in freetds (Ubuntu Disco): | |
importance: | Undecided → Medium |
Changed in freetds (Ubuntu Eoan): | |
importance: | Undecided → Medium |
Changed in freetds (Ubuntu Focal): | |
importance: | Undecided → Medium |
To post a comment you must log in.
Has a CVE been assigned for this issue? If not, could you please apply for one via MITRE https:/ /cveform. mitre.org/ so that all distributions can be aware of and ensure they fix this issue? Given the fix is public, is there a reason to keep this bug private?