libdbd-firebird-perl might cause a buffer overflow when truncating text or varchar fields

Bug #1431867 reported by Stefan Roas on 2015-03-13
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libdbd-firebird-perl (Debian)
Fix Released
Unknown
libdbd-firebird-perl (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
High
Unassigned
Utopic
Undecided
Unassigned

Bug Description

When truncating a varchar or text field libdbd-firebird-perl can cause a buffer overflow.

When truncating either SQL_VARYING or SQL_TEXT libdbd-firebird-perl creates an error message that informs the user about the truncation including how many bytes it tried to write and how many bytes the column could accept. The error message is created using sprintf to a fix-sized buffer that is too small if the size of the string and the size of the column occupy more than 3 bytes in the format string.

The bug is in ./libdbd-firebird-perl-1.15/dbdimp.c in the function ib_fill_isqlda.

Attached is a possible fix that increases the size of the fixed-sized buffer to 100 bytes and prevents a buffer overflow by using snprintf instead of sprintf.

CVE References

Revision history for this message
Stefan Roas (stefan-roas) wrote :
Revision history for this message
Stefan Roas (stefan-roas) wrote :

The previous patch contained the wrong buffer size for SQL_TEXT

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "libdbd-firebird-perl.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Micah Gersten (micahg) on 2015-04-15
information type: Public → Public Security
information type: Public Security → Public
information type: Public → Public Security
Revision history for this message
Micah Gersten (micahg) wrote :

This bug was fixed in the package libdbd-firebird-perl - 1.18-2

---------------
libdbd-firebird-perl (1.18-2) unstable; urgency=high

  * High urgency for security fixes

  [ Salvatore Bonaccorso ]
  * Update Vcs-Browser URL to cgit web frontend

  [ Damyan Ivanov ]
  * Add patch from Stefan Roas fixing potential buffer overflow in certain
    error conditions (CVE-2015-2788)
    (Closes: #780925)
  * add patch from upstream Git replacing all sprintf usage with snprintf

 -- Damyan Ivanov <email address hidden> Wed, 01 Apr 2015 08:43:03 +0000

Changed in libdbd-firebird-perl (Ubuntu):
status: New → Fix Released
Changed in libdbd-firebird-perl (Debian):
status: Unknown → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libdbd-firebird-perl (Ubuntu Precise):
status: New → Confirmed
Changed in libdbd-firebird-perl (Ubuntu Trusty):
status: New → Confirmed
Changed in libdbd-firebird-perl (Ubuntu Utopic):
status: New → Confirmed
Rolf Leggewie (r0lf) on 2016-04-24
Changed in libdbd-firebird-perl (Ubuntu Trusty):
importance: Undecided → High
status: Confirmed → Triaged
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.