In association with heise online

16 August 2006, 08:32

IBM closes security hole in Informix database

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security service provider NGSSoftware has discovered several security holes in IBM's Informix Dynamic Server. Updates to fix the problems are already available from IBM. The software giant took its time in preparing the patches, however: NGSSoftware informed IBM about the flaw all the way back in January 2005, the security advisory claims.

Using the LOTOFILE and rlt_tracefile_set functions, attackers could create and write arbitrary files. This was also the case with SET DEBUG FILE. The security specialists at NGSSoftware also turned up numerous buffer overflows. These could occur in the SET DEBUG FILE, IFX_FILE_TO_FILE, FILETOCLOB, LOTOFILE and DBINFO functions. At the protocol level, the functions _sq_remview, _sq_remproc, _sq_remperms, _sq_distfetch and _sq_dcatalog were susceptible to buffer overflows; they access the getname() function in C, which like strcpy() copies a string into the target buffer.

Administrators should install the updates as soon as possible. They should be drawn from the standard IBM channels, and placed on the Passport Advantage page, for example.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit