Jonathan Yu
2011-Jul-28 00:02 UTC
[Secure-testing-team] Bug#635668: libdbd-odbc-perl: package may be built with incorrect pointer size on 64-bit systems
Package: libdbd-odbc-perl Severity: grave Tags: security Justification: user security hole Because of changes that Microsoft made to the ODBC specification, the previously 32-bit binary protocol now supports 64-bit values on systems that support it (e.g. on amd64 and possibly the ia64 architectures). During build time, DBD::ODBC probes for a utility called odbc_config, which, like pkg-config, is intended to provide developers with the compiler flags used to build unixODBC itself. However, because this is not included with Debian''s unixODBC (it is not installed into any of the unixodbc binary packages), it is not possible to tell whether the package should be compiled assuming 32-bit or 64-bit data types. When the odbc_config cannot be found (since it is not available in Debian), the macro SIZEOF_LONG is not defined, so DBD::ODBC assumes that unixODBC was built with 32-bit-long SQLLEN and SQLULEN. This raises a potential security issue because unixODBC could write 64-bit values into buffers that are only 32-bits large (DBD::ODBC having provided 32-bit-long buffers based on the assumption of SQLLEN and SQLULEN being 32-bits). This issue is explained at length on the blog of the DBD::ODBC upstream developer: http://www.martin-evans.me.uk/node/116 -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, ''testing''), (500, ''stable''), (1, ''experimental''), (1, ''unstable'') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash