Hello community, here is the log from the commit of package unixODBC for openSUSE:11.3 checked in at Tue Jun 14 18:24:23 CEST 2011.
-------- --- old-versions/11.3/all/unixODBC/unixODBC-gui-qt.changes 2008-10-13 17:00:11.000000000 +0200 +++ 11.3/unixODBC/unixODBC-gui-qt.changes 2011-06-13 11:20:11.000000000 +0200 @@ -1,0 +2,5 @@ +Mon Jun 13 11:17:00 CEST 2011 - mhruse...@suse.cz + +- fixed CVE-2011-1145 (bnc#678796) + +------------------------------------------------------------------- --- old-versions/11.3/all/unixODBC/unixODBC.changes 2009-12-19 13:43:18.000000000 +0100 +++ 11.3/unixODBC/unixODBC.changes 2011-06-13 11:20:12.000000000 +0200 @@ -1,0 +2,5 @@ +Mon Jun 13 11:17:49 CEST 2011 - mhruse...@suse.cz + +- fixed CVE-2011-1145 (bnc#678796) + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/unixODBC Destination is old-versions/11.3/UPDATES/all/unixODBC calling whatdependson for 11.3-i586 New: ---- unixODBC-2.2.12-CVE-2011-1145.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ unixODBC-gui-qt.spec ++++++ --- /var/tmp/diff_new_pack.2IHjUR/_old 2011-06-14 18:23:29.000000000 +0200 +++ /var/tmp/diff_new_pack.2IHjUR/_new 2011-06-14 18:23:29.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package unixODBC-gui-qt (Version 2.2.12) +# spec file for package unixODBC-gui-qt # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,7 +21,7 @@ Name: unixODBC-gui-qt BuildRequires: qt3-devel Version: 2.2.12 -Release: 200 +Release: 204.<RELEASE2> Summary: ODBC Configuration Utility, Data Source Browser, and ODBC Test Tool based License: GPLv2+ Url: http://www.unixodbc.org/ @@ -39,6 +39,7 @@ Patch10: unixODBC-%{version}-libodbcinst-exports.patch Patch11: unixODBC-%{version}-flex.patch Patch12: unixODBC-%{version}-ctracing.patch +Patch13: unixODBC-2.2.12-CVE-2011-1145.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -62,6 +63,7 @@ %patch10 %patch11 %patch12 +%patch13 -p1 install -m 644 %{S:1} . %build ++++++ unixODBC.spec ++++++ --- /var/tmp/diff_new_pack.2IHjUR/_old 2011-06-14 18:23:29.000000000 +0200 +++ /var/tmp/diff_new_pack.2IHjUR/_new 2011-06-14 18:23:29.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package unixODBC (Version 2.2.12) +# spec file for package unixODBC # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,7 +21,7 @@ Name: unixODBC BuildRequires: gcc-c++ Version: 2.2.12 -Release: 122 +Release: 204.<RELEASE2> Summary: ODBC driver manager with some drivers included License: GPLv2+ ; LGPLv2.1+ Url: http://www.unixodbc.org/ @@ -49,6 +49,7 @@ Patch11: %{name}-%{version}-flex.patch Patch12: %{name}-%{version}-sqp.patch Patch13: %{name}-%{version}-uninitialized.patch +Patch14: unixODBC-2.2.12-CVE-2011-1145.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %package devel @@ -97,6 +98,7 @@ %patch11 %patch12 %patch13 +%patch14 -p1 install -m 644 %{S:1} . %build ++++++ unixODBC-2.2.12-CVE-2011-1145.patch ++++++ --- trunk/DriverManager/SQLDriverConnect.c 2011/01/12 15:50:07 23 +++ trunk/DriverManager/SQLDriverConnect.c 2011/03/09 15:38:55 27 @@ -664,7 +664,7 @@ { DMHDBC connection = (DMHDBC)hdbc; struct con_struct con_struct; - char *driver, *dsn = NULL, *filedsn, *tsavefile, savefile[ 128 ]; + char *driver, *dsn = NULL, *filedsn, *tsavefile, savefile[ INI_MAX_PROPERTY_VALUE + 1 ]; char lib_name[ INI_MAX_PROPERTY_VALUE + 1 ]; char driver_name[ INI_MAX_PROPERTY_VALUE + 1 ]; SQLRETURN ret_from_connect; @@ -969,7 +969,13 @@ tsavefile = __get_attribute_value( &con_struct, "SAVEFILE" ); if ( tsavefile ) { - strcpy( savefile, tsavefile ); + if ( strlen( tsavefile ) > INI_MAX_PROPERTY_VALUE ) { + memcpy( savefile, tsavefile, INI_MAX_PROPERTY_VALUE ); + savefile[ INI_MAX_PROPERTY_VALUE ] = '\0'; + } + else { + strcpy( savefile, tsavefile ); + } } else { ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
