DescriptionThe SQLWriteFileDSN function in odbcinst/SQLWriteFileDSN.c in unixODBC 2.3.5 has strncpy arguments in the wrong order, which allows attackers to cause a denial of service or possibly have unspecified other impact.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
unixodbc (PTS)stretch2.3.4-1fixed
buster, bullseye2.3.6-0.1fixed
bookworm, sid2.3.9-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
unixodbcsource(unstable)(not affected)


- unixodbc <not-affected> (Vulnerable code introduced later)
Issue introduced with
when actually fixing another potential (security) issue, "Buffer
overflows and missing null checks in SQLConfigDataSource,
SQLInstallDriverEx, and SQLWriteFileDSN"

Search for package or bug name: Reporting problems