Bug#264453: [Pkg-firebird-general] Bug#264453: Very likely not exploitable

Damyan Ivanov divanov at creditreform.bg
Mon Oct 31 12:14:04 UTC 2005


tags 264453 - security
tags 264453 + fixed-upstream
thanks

Florian Weimer wrote:
> * Damyan Ivanov:
> 
>>If you have no objections, I intent to close the bugreport. Ot should it be
>>tagged "wontfix" and security tag removed?
> 
> Either way is fine with me.  If the underlying problem -- passing
> around buffer addresses without the corresponding length -- is tracked
> somewhere else (maybe under a "we need to switch to better data
> structures" umbrella), it's probably not necessary to keep the Debian
> bug open.

In fact, in CVS HEAD, the function in question (gds__interprete) is now
deprecated and replaced by safe_interpret, which receives buffer size as input
parameter (below). The old function may still be called somewhere, but as
discussed, this is no security threat.

I am tagging it fixed-upstream. The bug should go when version providing
safe_interpret is packaged.


Thanks for your help,
dam

/* CVC: This non-const signature is needed for compatibility. The reason is
....
November, 2004: We agree that fb_interpret is the new, safe interface.
Both gds__interprete and isc_interprete are deprecated. */

SLONG API_ROUTINE gds__interprete(char* s, ISC_STATUS** vector)
{
/**************************************
 *
 *	g d s _ $ i n t e r p r e t e
 *
 **************************************
 *
 * Functional description
 * See safe_interpret for details. Now this is a wrapper for that function.
 * CVC: Since this routine doesn't get the size of the input buffer,
 * it's DEPRECATED and we'll assume the buffer size was 1024 as in Borland
examples.
 *
 **************************************/
	return safe_interpret(s, 1024, const_cast<const ISC_STATUS**>(vector), true);
}


/**
safe_interpret

	@brief Translate a status code with arguments to a string.  Return the
	length of the string while updating the vector address.  If the
	message is null (end of messages) or invalid, return 0;

	@param s the output buffer where a human readable version of the error is put
	@param bufsize the size of the output buffer
	@param vector the input, the address of const pointer to the status vector
	    that was filled by an API call that reported an error. The function
	    positions the pointer on the next element of the vector.

**/
static SLONG safe_interpret(char* const s, const int bufsize,
	const ISC_STATUS** const vector, bool legacy)



-- 
Damyan Ivanov                              Creditreform Bulgaria
divanov at creditreform.bg              http://www.creditreform.bg/
phone: +359(2)928-2611, 929-3993            fax: +359(2)920-0994
mob. +359(88)856-6067               dam at jabber.minus273.org/Gaim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-firebird-general/attachments/20051031/04a6e0c9/signature.pgp


More information about the Pkg-firebird-general mailing list