packages/unixODBC
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2024-1013

Browse Source 
(cherry picked from commit d427467d8b1c63c8b0a4345cb611bcd0577c6acb)
This commit is contained in:
Funda Wang 2024-10-24 09:14:52 +08:00 committed by openeuler-sync-bot
parent 870d15c8a9
commit 5d86aae7ea
2 changed files with 50 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
backport-0001-CVE-2024-1013.patch Normal file
View File

@ -0,0 +1,45 @@
From 45f501e1be2db6b017cc242c79bfb9de32b332a1 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Mon, 29 Jan 2024 08:27:29 +0100
Subject: [PATCH] PostgreSQL driver: Fix incompatible pointer-to-integer types
These result in out-of-bounds stack writes on 64-bit architectures
(caller has 4 bytes, callee writes 8 bytes), and seem to have gone
unnoticed on little-endian architectures (although big-endian
architectures must be broken).
This change is required to avoid a build failure with GCC 14.
---
Drivers/Postgre7.1/info.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/Drivers/Postgre7.1/info.c b/Drivers/Postgre7.1/info.c
index 63ac91f..2216ecd 100644
--- a/Drivers/Postgre7.1/info.c
+++ b/Drivers/Postgre7.1/info.c
@@ -1779,14 +1779,14 @@ char *table_name;
char index_name[MAX_INFO_STRING];
short fields_vector[8];
char isunique[10], isclustered[10];
-SDWORD index_name_len, fields_vector_len;
+SQLLEN index_name_len, fields_vector_len;
TupleNode *row;
int i;
HSTMT hcol_stmt;
StatementClass *col_stmt, *indx_stmt;
char column_name[MAX_INFO_STRING], relhasrules[MAX_INFO_STRING];
char **column_names = 0;
-Int4 column_name_len;
+SQLLEN column_name_len;
int total_columns = 0;
char error = TRUE;
ConnInfo *ci;
@@ -2136,7 +2136,7 @@ HSTMT htbl_stmt;
StatementClass *tbl_stmt;
char tables_query[STD_STATEMENT_LEN];
char attname[MAX_INFO_STRING];
-SDWORD attname_len;
+SQLLEN attname_len;
char pktab[MAX_TABLE_LEN + 1];
Int2 result_cols;

6
unixODBC.spec
View File

@ -1,6 +1,6 @@
Name: unixODBC
Version: 2.3.9
Release: 3
Release: 4
Summary: Open-source project that implements the ODBC API
License: GPLv2+ and LGPLv2+
URL: http://www.unixODBC.org/
@ -8,6 +8,7 @@ Source: http://www.unixODBC.org/%{name}-%{version}.tar.gz
Source1: odbcinst.ini
Patch0000: null_dereference_check.patch
Patch0001: delete_password.patch
Patch6001: backport-0001-CVE-2024-1013.patch
Conflicts: iodbc
BuildRequires: automake autoconf libtool libtool-ltdl-devel bison flex readline-devel
@ -90,6 +91,9 @@ find doc -name 'Makefile*' | xargs rm
%exclude %{_datadir}/libtool
%changelog
* Thu Oct 24 2024 Funda Wang <fundawang@yeah.net> - 2.3.9-4
- fix CVE-2024-1013
* Thu Dec 16 2021 Haoran Yang <yanghaoran7@huawei.com> - 2.3.9-3
- add delete_password.patch (hiding password in unixODBC log)