[Bug 1835896] Re: Heap overflow if UDT type is used with protocol 5.0
Launchpad Bug Tracker
1835896 at bugs.launchpad.net
Wed Oct 30 14:01:11 UTC 2019
This bug was fixed in the package freetds - 1.00.104-1ubuntu0.1
---------------
freetds (1.00.104-1ubuntu0.1) disco-security; urgency=medium
* SECURITY UPDATE: Heap overflow if UDT type is used with protocol 5.0
(LP: #1835896)
- src/tds/data.c: make sure UDT has varint set to 8.
- 0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac
- CVE-2019-13508
-- Marc Deslauriers <marc.deslauriers at ubuntu.com> Thu, 17 Oct 2019
13:09:25 -0400
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to freetds in Ubuntu.
https://bugs.launchpad.net/bugs/1835896
Title:
Heap overflow if UDT type is used with protocol 5.0
Status in freetds package in Ubuntu:
Confirmed
Status in freetds source package in Bionic:
Fix Released
Status in freetds source package in Disco:
Fix Released
Status in freetds source package in Eoan:
Fix Released
Status in freetds source package in Focal:
Confirmed
Bug description:
Description of problem:
A malicious server could cause heap overflow.
This can happens if server cause a downgrade to protocol 5.0 and send a UDT type.
This does not apply to a specific Ubuntu version. FreeTDS version from 0.95 are affected so all versions distributed with recent Ubuntu.
How reproducible:
You need to write a malicious server doing downgrade and sending the UDT type.
Actual results:
Heap overflow
Expected results:
Type handled correctly or disconnection due to invalid protocol.
Additional info:
This was reported by Felix Wilhelm from the Google Security Team.
This is fixed by https://github.com/FreeTDS/freetds/commit/0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freetds/+bug/1835896/+subscriptions
More information about the foundations-bugs
mailing list