Your message dated Fri, 29 Jul 2011 08:05:14 -0400
with message-id 
<camdxsegae5wtj2+cezs0d+udkxkhy7oc8ek33g8be36_9xt...@mail.gmail.com>
and subject line Re: Bug#635668: retraction and explanation
has caused the Debian Bug report #635668,
regarding libdbd-odbc-perl: package may be built with incorrect pointer size on 
64-bit systems
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
635668: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635668
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libdbd-odbc-perl
Severity: grave
Tags: security
Justification: user security hole


Because of changes that Microsoft made to the ODBC specification, the previously
32-bit binary protocol now supports 64-bit values on systems that support it 
(e.g.
on amd64 and possibly the ia64 architectures).

During build time, DBD::ODBC probes for a utility called odbc_config, which, 
like
pkg-config, is intended to provide developers with the compiler flags used to 
build
unixODBC itself. However, because this is not included with Debian's unixODBC 
(it
is not installed into any of the unixodbc binary packages), it is not possible 
to
tell whether the package should be compiled assuming 32-bit or 64-bit data 
types.

When the odbc_config cannot be found (since it is not available in Debian), the
macro SIZEOF_LONG is not defined, so DBD::ODBC assumes that unixODBC was built
with 32-bit-long SQLLEN and SQLULEN.

This raises a potential security issue because unixODBC could write 64-bit 
values
into buffers that are only 32-bits large (DBD::ODBC having provided 32-bit-long
buffers based on the assumption of SQLLEN and SQLULEN being 32-bits).

This issue is explained at length on the blog of the DBD::ODBC upstream 
developer:
http://www.martin-evans.me.uk/node/116

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (1, 'experimental'), (1, 
'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash



--- End Message ---
--- Begin Message ---
Closing this bug report per the message below, no further action is
required here.

Cheers,

Jonathan

On Thu, Jul 28, 2011 at 9:58 AM, Martin J. Evans
<martin.ev...@easysoft.com> wrote:
> Jonathan Yu reported this issue on my behalf (so it is no reflection on him)
> after I was seeking someone to try and get unixODBC's odbc_config into
> Debian for the reason outlined above.
>
> I am not a debian user myself but I was sent header files reportedly from
> Ubuntu boxes which did not contain a unixodbc_conf.h and needed SIZEOF_LONG
> set to 8 else SQLLEN/SQLULEN was not 64 bit. These headers did not contain a
> define for BUILD_REAL_64_BIT_MODE either.
>
> With the help of more debian savvy people I located the lenny (oldstable)
> and squeeze (stable) headers and these are in fact correct because someone
> has added BUILD_REAL_64_BIT_MODE.
>
> As a result this does not seem to be a problem in debian as distributed in
> stable releases.
>
> However, please still consider adding odbc_config to unixODBC as it has
> other uses beyond locating --cflags.
>
> Martin
>
>
>
> _______________________________________________
> pkg-perl-maintainers mailing list
> pkg-perl-maintain...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-maintainers
>


--- End Message ---

Reply via email to