[Bug 1835896] Re: Heap overflow if UDT type is used with protocol 5.0

[Marc Deslauriers]

** Also affects: freetds (Ubuntu Eoan)
   Importance: Undecided
       Status: New

** Also affects: freetds (Ubuntu Disco)
   Importance: Undecided
       Status: New

** Also affects: freetds (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: freetds (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Changed in: freetds (Ubuntu Bionic)
       Status: New => Confirmed

** Changed in: freetds (Ubuntu Disco)
       Status: New => Confirmed

** Changed in: freetds (Ubuntu Eoan)
       Status: New => Confirmed

** Changed in: freetds (Ubuntu Focal)
       Status: New => Confirmed

** Changed in: freetds (Ubuntu Bionic)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: freetds (Ubuntu Disco)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: freetds (Ubuntu Eoan)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: freetds (Ubuntu Focal)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: freetds (Ubuntu Bionic)
   Importance: Undecided => Medium

** Changed in: freetds (Ubuntu Disco)
   Importance: Undecided => Medium

** Changed in: freetds (Ubuntu Eoan)
   Importance: Undecided => Medium

** Changed in: freetds (Ubuntu Focal)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to freetds in Ubuntu.
https://bugs.launchpad.net/bugs/1835896

Title:
  Heap overflow if UDT type is used with protocol 5.0

Status in freetds package in Ubuntu:
  Confirmed
Status in freetds source package in Bionic:
  Confirmed
Status in freetds source package in Disco:
  Confirmed
Status in freetds source package in Eoan:
  Confirmed
Status in freetds source package in Focal:
  Confirmed

Bug description:
  Description of problem:
  A malicious server could cause heap overflow.
  This can happens if server cause a downgrade to protocol 5.0 and send a UDT type.
  This does not apply to a specific Ubuntu version. FreeTDS version from 0.95 are affected so all versions distributed with recent Ubuntu.

  
  How reproducible:
  You need to write a malicious server doing downgrade and sending the UDT type.

  
  Actual results:
  Heap overflow

  
  Expected results:
  Type handled correctly or disconnection due to invalid protocol.

  
  Additional info:
  This was reported by Felix Wilhelm from the Google Security Team.
  This is fixed by https://github.com/FreeTDS/freetds/commit/0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freetds/+bug/1835896/+subscriptions