Bug#635668: libdbd-odbc-perl: package may be built with incorrect pointer size on 64-bit systems

Jonathan Yu jawnsy at cpan.org
Thu Jul 28 00:02:56 UTC 2011


Package: libdbd-odbc-perl
Severity: grave
Tags: security
Justification: user security hole


Because of changes that Microsoft made to the ODBC specification, the previously
32-bit binary protocol now supports 64-bit values on systems that support it (e.g.
on amd64 and possibly the ia64 architectures).

During build time, DBD::ODBC probes for a utility called odbc_config, which, like
pkg-config, is intended to provide developers with the compiler flags used to build
unixODBC itself. However, because this is not included with Debian's unixODBC (it
is not installed into any of the unixodbc binary packages), it is not possible to
tell whether the package should be compiled assuming 32-bit or 64-bit data types.

When the odbc_config cannot be found (since it is not available in Debian), the
macro SIZEOF_LONG is not defined, so DBD::ODBC assumes that unixODBC was built
with 32-bit-long SQLLEN and SQLULEN.

This raises a potential security issue because unixODBC could write 64-bit values
into buffers that are only 32-bits large (DBD::ODBC having provided 32-bit-long
buffers based on the assumption of SQLLEN and SQLULEN being 32-bits).

This issue is explained at length on the blog of the DBD::ODBC upstream developer:
http://www.martin-evans.me.uk/node/116

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (1, 'experimental'), (1, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash





More information about the pkg-perl-maintainers mailing list