Problem Note 68712: A stack-trace vulnerability occurs with the IMPORT procedure while importing a CSV file
 |  |  |  |  |
Severity: High
Description: In a SAS® session with the system option DBCS set, the default option for English with DBCS or UNICODE Support, PROC IMPORT might crash when importing a CSV file that contains characters that do not exist on the ANSI - Latin 1 code page. A workaround is to use a DATA step with INFILE and INPUT statements to read the delimited file.
Potential Impact: An attacker can use a resulting stack trace to gather information.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Operating System and Release Information
| Product Family | Product | System | SAS Release | |
| Reported | Fixed* | |||
| SAS System | Base SAS | z/OS | 9.4 TS1M6 | |
| z/OS 64-bit | 9.4 TS1M6 | |||
| Microsoft® Windows® for x64 | 9.4 TS1M6 | |||
| Microsoft Windows 8 Enterprise 32-bit | 9.4 TS1M6 | |||
| Microsoft Windows 8 Enterprise x64 | 9.4 TS1M6 | |||
| Microsoft Windows 8 Pro 32-bit | 9.4 TS1M6 | |||
| Microsoft Windows 8 Pro x64 | 9.4 TS1M6 | |||
| Microsoft Windows 8.1 Enterprise 32-bit | 9.4 TS1M6 | |||
| Microsoft Windows 8.1 Enterprise x64 | 9.4 TS1M6 | |||
| Microsoft Windows 8.1 Pro 32-bit | 9.4 TS1M6 | |||
| Microsoft Windows 8.1 Pro x64 | 9.4 TS1M6 | |||
| Microsoft Windows 10 | 9.4 TS1M6 | |||
| Microsoft Windows Server 2008 | 9.4 TS1M6 | |||
| Microsoft Windows Server 2008 R2 | 9.4 TS1M6 | |||
| Microsoft Windows Server 2008 for x64 | 9.4 TS1M6 | |||
| Microsoft Windows Server 2012 Datacenter | 9.4 TS1M6 | |||
| Microsoft Windows Server 2012 R2 Datacenter | 9.4 TS1M6 | |||
| Microsoft Windows Server 2012 R2 Std | 9.4 TS1M6 | |||
| Microsoft Windows Server 2012 Std | 9.4 TS1M6 | |||
| Microsoft Windows Server 2016 | 9.4 TS1M6 | |||
| Microsoft Windows Server 2019 | 9.4 TS1M6 | |||
| Windows 7 Enterprise 32 bit | 9.4 TS1M6 | |||
| Windows 7 Enterprise x64 | 9.4 TS1M6 | |||
| Windows 7 Home Premium 32 bit | 9.4 TS1M6 | |||
| Windows 7 Home Premium x64 | 9.4 TS1M6 | |||
| Windows 7 Professional 32 bit | 9.4 TS1M6 | |||
| Windows 7 Professional x64 | 9.4 TS1M6 | |||
| Windows 7 Ultimate 32 bit | 9.4 TS1M6 | |||
| Windows 7 Ultimate x64 | 9.4 TS1M6 | |||
| 64-bit Enabled AIX | 9.4 TS1M6 | |||
| 64-bit Enabled Solaris | 9.4 TS1M6 | |||
| HP-UX IPF | 9.4 TS1M6 | |||
| Linux for x64 | 9.4 TS1M6 | |||
| Solaris for x64 | 9.4 TS1M6 | |||
Viya on Linux: An update for this issue is available for SAS Viya 3.5. For instructions on how to access and apply software updates, see the Updating Your SAS Viya software section in the SAS Viya 3.5 for Linux Deployment Guide at
http://documentation.sas.com/?softwareId=administration&softwareVersion=3.5&softwareContextId=softwareUpdatesA fix for this issue for Base SAS 9.4_M7 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/I9R.html#68712| Type: | Problem Note |
| Priority: | high |
| Topic: | Common Programming Tasks ==> Reading and Writing External Data ==> with PROC IMPORT Common Programming Tasks ==> Reading and Writing External Data ==> EFI Common Programming Tasks ==> Reading and Writing External Data ==> Import Wizard |
| Date Modified: | 2021-12-23 09:12:39 |
| Date Created: | 2021-12-20 09:37:55 |