| Summary: | unixODBC new security issues CVE-2018-7409 and CVE-2018-7485 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, geiger.david68210, herman.viaene, marja11, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | unixODBC-2.3.4-2.mga6.src.rpm | CVE: | |
| Status comment: | Fixed upstream in 2.3.6 | ||
|
Description
David Walser
2018-06-29 20:04:49 CEST
David Walser
2018-06-29 20:05:19 CEST
Status comment:
(none) =>
Fixed upstream in 2.3.6 Assigning to the registered maintainer. CC:
(none) =>
marja11 Fedora has issued an advisory for this today (September 7): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FNQ5MBIGSDZTV3C7TRG7BMA6GMVJVOYO/ They updated to 2.3.7. Already fixed for Cauldron and now also fixed for mga6 updating to latest 2.3.7 release! Note that the unneeded static devel pkg was removed! CC:
(none) =>
geiger.david68210 Advisory: ======================== Updated unixODBC packages fix security vulnerabilities: unixODBC before version 2.3.5 is vulnerable to a buffer overflow in the DriverManager/__info.c:unicode_to_ansi_copy() method. An attacker could exploit this to cause a denial of service or other unspecified impact (CVE-2018-7409). The SQLWriteFileDSN function in odbcinst/SQLWriteFileDSN.c in unixODBC 2.3.5 has strncpy arguments in the wrong order, which allows attackers to cause a denial of service or possibly have unspecified other impact (CVE-2018-7485). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7409 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7485 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FNQ5MBIGSDZTV3C7TRG7BMA6GMVJVOYO/ ======================== Updated packages in core/updates_testing: ======================== unixODBC-2.3.7-1.mga6 libunixODBC2-2.3.7-1.mga6 libunixODBC-devel-2.3.7-1.mga6 from unixODBC-2.3.7-1.mga6.src.rpm Assignee:
makowski.mageia =>
qa-bugs MGA6-32 MATE on IBM ThinkpadR50e No installation issues. Googling to find some easy use case, but not much success (it's a long time ago I used ODBC....) Tried CLI: $ odbcinst --version unixODBC 2.3.7 $ odbcinst ********************************************** * unixODBC - odbcinst * ********************************************** * * * Purpose: * * * * An ODBC Installer and Uninstaller. * * Updates system files, and * * increases/decreases usage counts but * * does not actually copy or remove any * * files. and more $ odbcinst -j unixODBC 2.3.7 DRIVERS............: /etc/odbcinst.ini SYSTEM DATA SOURCES: /etc/odbc.ini FILE DATA SOURCES..: /etc/ODBCDataSources USER DATA SOURCES..: /home/tester6/.odbc.ini SQLULEN Size.......: 4 SQLLEN Size........: 4 SQLSETPOSIROW Size.: 2 As nothing ODBC is installed, the above files are empty, seems OK CC:
(none) =>
herman.viaene Mageia 6, x86_64 Checked installation then updated. New to me so just copied Herman's commands. Same output... $ odbcinst -j unixODBC 2.3.7 DRIVERS............: /etc/odbcinst.ini SYSTEM DATA SOURCES: /etc/odbc.ini FILE DATA SOURCES..: /etc/ODBCDataSources USER DATA SOURCES..: /home/lcl/.odbc.ini SQLULEN Size.......: 8 SQLLEN Size........: 8 SQLSETPOSIROW Size.: 8 System files empty, no user ini file. Looks OK as far as it goes. Whiteboard:
(none) =>
MGA6-64-OK In the absence of reported problems, I'm going to validate. Suggested advisory in Comment 4. Keywords:
(none) =>
validated_update
Dave Hodgins
2018-09-21 16:37:14 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0379.html Resolution:
(none) =>
FIXED |