openSUSE has issued an advisory today (June 29): https://lists.opensuse.org/opensuse-updates/2018-06/msg00144.html The issues are fixed upstream in 2.3.6. Mageia 5 and Mageia 6 are also affected.
Status comment: (none) => Fixed upstream in 2.3.6
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => makowski.mageia
Fedora has issued an advisory for this today (September 7): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FNQ5MBIGSDZTV3C7TRG7BMA6GMVJVOYO/ They updated to 2.3.7.
Already fixed for Cauldron and now also fixed for mga6 updating to latest 2.3.7 release! Note that the unneeded static devel pkg was removed!
CC: (none) => geiger.david68210
Advisory: ======================== Updated unixODBC packages fix security vulnerabilities: unixODBC before version 2.3.5 is vulnerable to a buffer overflow in the DriverManager/__info.c:unicode_to_ansi_copy() method. An attacker could exploit this to cause a denial of service or other unspecified impact (CVE-2018-7409). The SQLWriteFileDSN function in odbcinst/SQLWriteFileDSN.c in unixODBC 2.3.5 has strncpy arguments in the wrong order, which allows attackers to cause a denial of service or possibly have unspecified other impact (CVE-2018-7485). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7409 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7485 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FNQ5MBIGSDZTV3C7TRG7BMA6GMVJVOYO/ ======================== Updated packages in core/updates_testing: ======================== unixODBC-2.3.7-1.mga6 libunixODBC2-2.3.7-1.mga6 libunixODBC-devel-2.3.7-1.mga6 from unixODBC-2.3.7-1.mga6.src.rpm
Assignee: makowski.mageia => qa-bugsSeverity: normal => major
MGA6-32 MATE on IBM ThinkpadR50e No installation issues. Googling to find some easy use case, but not much success (it's a long time ago I used ODBC....) Tried CLI: $ odbcinst --version unixODBC 2.3.7 $ odbcinst ********************************************** * unixODBC - odbcinst * ********************************************** * * * Purpose: * * * * An ODBC Installer and Uninstaller. * * Updates system files, and * * increases/decreases usage counts but * * does not actually copy or remove any * * files. and more $ odbcinst -j unixODBC 2.3.7 DRIVERS............: /etc/odbcinst.ini SYSTEM DATA SOURCES: /etc/odbc.ini FILE DATA SOURCES..: /etc/ODBCDataSources USER DATA SOURCES..: /home/tester6/.odbc.ini SQLULEN Size.......: 4 SQLLEN Size........: 4 SQLSETPOSIROW Size.: 2 As nothing ODBC is installed, the above files are empty, seems OK
CC: (none) => herman.viaene
Mageia 6, x86_64 Checked installation then updated. New to me so just copied Herman's commands. Same output... $ odbcinst -j unixODBC 2.3.7 DRIVERS............: /etc/odbcinst.ini SYSTEM DATA SOURCES: /etc/odbc.ini FILE DATA SOURCES..: /etc/ODBCDataSources USER DATA SOURCES..: /home/lcl/.odbc.ini SQLULEN Size.......: 8 SQLLEN Size........: 8 SQLSETPOSIROW Size.: 8 System files empty, no user ini file. Looks OK as far as it goes.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
In the absence of reported problems, I'm going to validate. Suggested advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0379.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED