CVE-2012-2657

Name of the Vulnerable Software and Affected Versions unixODBC versions 2.0.10, 2.3.1, and earlier

Description The issue is related to a buffer overflow in the SQLDriverConnect function, which can be triggered by a long string in the FILEDSN option, potentially allowing local users to cause a denial of service (crash). It is noted that this issue might not be a vulnerability, as the ability to set this option typically implies that the attacker already has legitimate access to cause a DoS or execute code, and therefore the issue would not cross privilege boundaries. There may be limited attack scenarios if isql command-line options are exposed to an attacker.

Recommendations For unixODBC versions 2.0.10, 2.3.1, and earlier, consider restricting access to the FILEDSN option to minimize the risk of exploitation. As a temporary workaround, consider disabling the SQLDriverConnect function until a patch is available. Avoid using long strings in the FILEDSN option to prevent potential crashes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.