packages/unixODBC
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!36 [sync] PR-33: fix CVE-2024-1013

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
This commit is contained in:
openeuler-ci-bot 2024-10-24 03:55:33 +00:00 committed by Gitee
commit 7ff64f8548
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 50 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
backport-0001-CVE-2024-1013.patch Normal file
View File

@ -0,0 +1,45 @@
From 45f501e1be2db6b017cc242c79bfb9de32b332a1 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Mon, 29 Jan 2024 08:27:29 +0100
Subject: [PATCH] PostgreSQL driver: Fix incompatible pointer-to-integer types
These result in out-of-bounds stack writes on 64-bit architectures
(caller has 4 bytes, callee writes 8 bytes), and seem to have gone
unnoticed on little-endian architectures (although big-endian
architectures must be broken).
This change is required to avoid a build failure with GCC 14.
---
Drivers/Postgre7.1/info.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/Drivers/Postgre7.1/info.c b/Drivers/Postgre7.1/info.c
index 63ac91f..2216ecd 100644
--- a/Drivers/Postgre7.1/info.c
+++ b/Drivers/Postgre7.1/info.c
@@ -1779,14 +1779,14 @@ char *table_name;
char index_name[MAX_INFO_STRING];
short fields_vector[8];
char isunique[10], isclustered[10];
-SDWORD index_name_len, fields_vector_len;
+SQLLEN index_name_len, fields_vector_len;
TupleNode *row;
int i;
HSTMT hcol_stmt;
StatementClass *col_stmt, *indx_stmt;
char column_name[MAX_INFO_STRING], relhasrules[MAX_INFO_STRING];
char **column_names = 0;
-Int4 column_name_len;
+SQLLEN column_name_len;
int total_columns = 0;
char error = TRUE;
ConnInfo *ci;
@@ -2136,7 +2136,7 @@ HSTMT htbl_stmt;
StatementClass *tbl_stmt;
char tables_query[STD_STATEMENT_LEN];
char attname[MAX_INFO_STRING];
-SDWORD attname_len;
+SQLLEN attname_len;
char pktab[MAX_TABLE_LEN + 1];
Int2 result_cols;

6
unixODBC.spec
View File

@ -1,6 +1,6 @@
Name: unixODBC Name: unixODBC
Version: 2.3.9 Version: 2.3.9
Release: 3 Release: 4
Summary: Open-source project that implements the ODBC API Summary: Open-source project that implements the ODBC API
License: GPLv2+ and LGPLv2+ License: GPLv2+ and LGPLv2+
URL: http://www.unixODBC.org/ URL: http://www.unixODBC.org/
@ -8,6 +8,7 @@ Source: http://www.unixODBC.org/%{name}-%{version}.tar.gz
Source1: odbcinst.ini Source1: odbcinst.ini
Patch0000: null_dereference_check.patch Patch0000: null_dereference_check.patch
Patch0001: delete_password.patch Patch0001: delete_password.patch
Patch6001: backport-0001-CVE-2024-1013.patch
Conflicts: iodbc Conflicts: iodbc
BuildRequires: automake autoconf libtool libtool-ltdl-devel bison flex readline-devel BuildRequires: automake autoconf libtool libtool-ltdl-devel bison flex readline-devel
@ -90,6 +91,9 @@ find doc -name 'Makefile*' | xargs rm
%exclude %{_datadir}/libtool %exclude %{_datadir}/libtool
%changelog %changelog
* Thu Oct 24 2024 Funda Wang <fundawang@yeah.net> - 2.3.9-4
- fix CVE-2024-1013
* Thu Dec 16 2021 Haoran Yang <yanghaoran7@huawei.com> - 2.3.9-3 * Thu Dec 16 2021 Haoran Yang <yanghaoran7@huawei.com> - 2.3.9-3
- add delete_password.patch (hiding password in unixODBC log) - add delete_password.patch (hiding password in unixODBC log)