Subject: [ASA-201802-14] unixodbc: arbitrary code execution Arch Linux Security Advisory ASA-201802-14 ========================================== Severity: High Date : 2018-02-23 CVE-ID : CVE-2018-7409 Package : unixodbc Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-627 Summary ======= The package unixodbc before version 2.3.5-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 2.3.5-1. # pacman -Syu "unixodbc>=2.3.5-1" The problem has been fixed upstream in version 2.3.5. Workaround ========== None. Description =========== In unixODBC before 2.3.5, there is a buffer overflow in the unicode_to_ansi_copy() function in DriverManager/__info.c possibly leading to arbitrary code execution. Impact ====== A remote attacker is able to execute arbitrary code on the affected host. References ========== https://security.archlinux.org/CVE-2018-7409