Bug 2260823 (CVE-2024-1013) - CVE-2024-1013 unixODBC: out of bounds stack write due to pointer-to-integer types conversion
Summary: CVE-2024-1013 unixODBC: out of bounds stack write due to pointer-to-integer t...
Alias: CVE-2024-1013
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
Depends On: 2270029
Blocks: 2260824
TreeView+ depends on / blocked
Reported: 2024-01-29 08:23 UTC by Rohit Keshri
Modified: 2024-04-26 05:46 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds stack write flaw was found in unixODBC on 64-bit architectures where the caller has 4 bytes and callee writes 8 bytes. This issue may go unnoticed on little-endian architectures, while big-endian architectures can be broken.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Rohit Keshri 2024-01-29 08:23:33 UTC
An out-of-bounds stack writes on 64-bit architectures (caller has 4 bytes, callee writes 8 bytes), and seem to have gone unnoticed on little-endian architectures (although big-endian architectures must be broken).


Comment 4 Dhananjay Arunesh 2024-03-18 10:21:15 UTC
Created unixODBC tracking bugs for this issue:

Affects: fedora-all [bug 2270029]

Comment 7 Michal Schorm 2024-04-25 16:00:33 UTC
I've managed to establish communication with the upstream and discuss parts I was confused about.

The result is: Neither Fedora, nor RHEL are affected.



There are two files with very similar names:
Despite having similar name, they are built from entirely different parts of the unixODBC sources and they have entirely different meaning.

The first one is a 'main driver'.
It utilizes the main ODBC API that covers the actual running of a connection to a database, this is called after connecting at run time via the driver manager.
It's sources are in: 'Drivers/Postgre7.1' directory

The second one is a 'setup driver'.
A small API which is used by the GUI component:
which we doesn't have in RHEL.
All the (any) 'setup driver' does is edit the odbc.ini entries.
It's sources are in: 'DRVConfig/PostgreSQL' directory.


The vulnerable code is part of the 'main driver', and has nothing to do with the 'setup driver'.
We build both (even though there's no logical need to build either).
We delete the 'main driver' during the package build process:
so it's neither packed nor shipped.

We keep the 'setup driver'. It doesn't have any value in RHEL, as there isn't any GUI tool to use it with.
It's a relic synced from Fedora, but harmless.

Note You need to log in before you can comment on or make changes to this bug.