CVE-2024-1013: PostgreSQL driver: Fix incompatible pointer-to-integer types

[fweimer-rh]

These result in out-of-bounds stack writes on 64-bit architectures (caller has 4 bytes, callee writes 8 bytes), and seem to have gone unnoticed on little-endian architectures (although big-endian architectures must be broken).

This change is required to avoid a build failure with GCC 14.

I'll ask Red Hat Product Security if they think this needs to be tracked as a security vulnerability.

Related to:

• https://fedoraproject.org/wiki/Changes/PortingToModernC
• https://fedoraproject.org/wiki/Toolchain/PortingToModernC

[fweimer-rh]

Red Hat Product Security has assigned CVE-2024-1013 to this issue.

[jubalh]

Red Hat Product Security has assigned CVE-2024-1013 to this issue.

Isn't Drivers/Postgre7.1/info.c just an example driver that shouldnt be used/built in production anyways?

The drivers in here are historical ones or example drivers.
They are not supported anymore. But can be used as a starting
point to write your own.

From https://github.com/lurcher/unixODBC/blob/master/Drivers/README

[lurcher]

On 29/01/2024 09:25, Michael Vetter wrote: Red Hat Product Security has assigned CVE-2024-1013 to this issue. Isn't |Drivers/Postgre7.1/info.c| just an example driver that shouldnt be used in production anyways?

Yep, very old driver. I guess I will make the change to just keep the peace.

[fweimer-rh]

Red Hat Product Security has assigned CVE-2024-1013 to this issue.

Isn't Drivers/Postgre7.1/info.c just an example driver that shouldnt be used/built in production anyways?

Ugh, I had no idea. Looks like we keep building these drivers, but they do not end up shipping as far as I can tell.

[jubalh]

Ugh, I had no idea. Looks like we keep building these drivers, but they do not end up shipping as far as I can tell.

openSUSE uses psqlODBC instead.

[kloczek]

Is it possible to release new version because this commit? 🤔