Debian Bug report logs - #357580
firebird2-*-server: remotelly crashable

version graph

Packages: libfbembed1, firebird2-super-server; Maintainer for libfbembed1 is (unknown); Maintainer for firebird2-super-server is (unknown);

Reported by: Damyan Ivanov <divanov@creditreform.bg>

Date: Sat, 18 Mar 2006 10:03:02 UTC

Severity: critical

Tags: fixed-upstream, help, security, upstream

Fixed in version firebird2/1.5.3.4870-3

Done: Damyan Ivanov <divanov@creditreform.bg>

Bug is archived. No further changes may be made.

Forwarded to http://sourceforge.net/tracker/index.php?func=detail&aid=1282031&group_id=9028&atid=109028

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#357580; Package firebird2-super-server,firebird2-classic-server. Full text and rfc822 format available.

Acknowledgement sent to Damyan Ivanov <divanov@creditreform.bg>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <divanov@creditreform.bg>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: firebird2-*-server: remotelly crashable
Date: Sat, 18 Mar 2006 11:50:57 +0200
Package: firebird2-super-server,firebird2-classic-server
Version: 1.5.3.4870-2
Severity: critical
Tags: security help
Justification: root security hole

As noted in [1], fbserver (the daemon listening for TCP, found in
firebird2-super-server, source package firebird2) crashes if given too
long database name. The crash occurs *before* authentication and thus
does not require knowledge of a valid database user/password.

[1]
https://sourceforge.net/tracker/?func=detail&atid=109028&aid=1282031&group_id=9028

securityfocus' advisory[2] claims version 1.5 is not vulnerable, but
I've just reproduced the crash using 1.5.2-10 that is in Debian/sarge
and etch. Upstream claimed[1] that this is fixed in 1.5.3, but I can
still reproduce it with 1.5.3.4870-2 from yesterday, which was supposed
to fix other (local) buffer overflows (see #357173).

[2] http://www.securityfocus.com/bid/10446/discuss

=== How to reproduce ===

$ gsec -database localhost:`perl -e'print ("A"x300)'` \
  -user doesnt -passwd matter
invalid switch specified
error in switch specifications
Unable to complete network request to host "localhost".
Error reading data from the connection.
unable to open database

"Unable to complete network request" usually means that the server has
crashed. And indeed, looking at /var/log/firebird.log gives:

amd64 (Client)  Sat Mar 18 10:52:19 2006
 /usr/lib/firebird2/bin/fbguard: bin/fbserver terminated abnormally (-1)

So the server has crashed.

============

Same happens with firebird2-classic-server, only there is nothing in
firebird.log

I am yet to verify the pristine upstream builds (without debian patches)
and report it to upstream. Any help for these tasks from people knowing
firebird (preferably subscribed to firebird-devel) is warmly
appretiated.


---
dam


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.13+reiser4+dam.1
Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8)

Versions of packages firebird2-super-server depends on:
ii  adduser                     3.85         Add and remove users and groups
ii  firebird2-server-common     1.5.3.4870-2 Common files for Firebird - an RDB
ii  libc6                       2.3.6-3      GNU C Library: Shared libraries an
ii  libfbclient1                1.5.3.4870-2 Firebird client library
ii  libgcc1                     1:4.0.3-1    GCC support library
ii  libncurses5                 5.5-1        Shared libraries for terminal hand
ii  libstdc++6                  4.0.3-1      The GNU Standard C++ Library v3

firebird2-super-server recommends no packages.



Tags added: Request was from Damyan Ivanov <divanov@creditreform.bg> to control@bugs.debian.org. Full text and rfc822 format available.

Noted your statement that Bug has been forwarded to http://sourceforge.net/tracker/index.php?func=detail&aid=1282031&group_id=9028&atid=109028. Request was from Damyan Ivanov <divanov@creditreform.bg> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: upstream Request was from Damyan Ivanov <divanov@creditreform.bg> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 1.5.1-4. Request was from Damyan Ivanov <divanov@creditreform.bg> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#357580; Package firebird2-super-server,firebird2-classic-server. Full text and rfc822 format available.

Acknowledgement sent to Damyan Ivanov <divanov@creditreform.bg>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #18 received at 357580@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <divanov@creditreform.bg>
To: 357580@bugs.debian.org
Cc: team@security.debian.org, control@bugs.debian.org
Subject: firebird2-*-server: remotelly crashable
Date: Mon, 20 Mar 2006 13:03:36 +0200
[Message part 1 (text/plain, inline)]
reassign 357580 firebird2-super-server,libfbembed1
thanks

Hi,

Here's a patch that fixes the crash. The fix is
rather ugly IMHO, but this is what upstream proposed.

Please apply it to stable version of firebird2.

Unstable package is due for upload.

More information (discovery, reproduction) on
http://bugs.debian.org/358580


Thanks,
dam
-- 
Damyan Ivanov                              Creditreform Bulgaria
divanov@creditreform.bg              http://www.creditreform.bg/
phone: +359(2)928-2611, 929-3993            fax: +359(2)920-0994
mob. +359(88)856-6067               dam@jabber.minus273.org/Gaim
[security-remote-preauth-crash.dpatch (text/plain, inline)]
#! /bin/sh /usr/share/dpatch/dpatch-run
## security-remote-preauth-crash.dpatch by  <divanov@creditreform.bg>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.

@DPATCH@
diff -urNad firebird2-1.5.3.4870~/src/jrd/unix.cpp firebird2-1.5.3.4870/src/jrd/unix.cpp
--- firebird2-1.5.3.4870~/src/jrd/unix.cpp	2004-03-29 06:50:11.000000000 +0300
+++ firebird2-1.5.3.4870/src/jrd/unix.cpp	2006-03-20 11:46:53.000000000 +0200
@@ -643,6 +643,8 @@
 	if (string) {
 		ptr = string;
 		if (length) {
+                        if (length >= sizeof(temp)) length = sizeof(temp) - 1;
+
 			MOVE_FAST(string, temp, length);
 			temp[length] = 0;
 			ptr = temp;
@@ -651,6 +653,8 @@
 	else {
 		ptr = file_name;
 		if (file_length) {
+                        if (file_length >= sizeof(temp)) file_length = sizeof(temp) - 1;
+
 			MOVE_FAST(file_name, temp, file_length);
 			temp[file_length] = 0;
 			ptr = temp;
[signature.asc (application/pgp-signature, attachment)]

Bug reassigned from package `firebird2-super-server,firebird2-classic-server' to `firebird2-super-server,libfbembed1'. Request was from Damyan Ivanov <divanov@creditreform.bg> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Damyan Ivanov <divanov@creditreform.bg>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Damyan Ivanov <divanov@creditreform.bg>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #25 received at 357580-close@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <divanov@creditreform.bg>
To: 357580-close@bugs.debian.org
Subject: Bug#357580: fixed in firebird2 1.5.3.4870-3
Date: Mon, 20 Mar 2006 08:17:13 -0800
Source: firebird2
Source-Version: 1.5.3.4870-3

We believe that the bug you reported is fixed in the latest version of
firebird2, which is due to be installed in the Debian FTP archive:

firebird2-classic-server_1.5.3.4870-3_i386.deb
  to pool/main/f/firebird2/firebird2-classic-server_1.5.3.4870-3_i386.deb
firebird2-dev_1.5.3.4870-3_i386.deb
  to pool/main/f/firebird2/firebird2-dev_1.5.3.4870-3_i386.deb
firebird2-examples_1.5.3.4870-3_i386.deb
  to pool/main/f/firebird2/firebird2-examples_1.5.3.4870-3_i386.deb
firebird2-server-common_1.5.3.4870-3_i386.deb
  to pool/main/f/firebird2/firebird2-server-common_1.5.3.4870-3_i386.deb
firebird2-super-server_1.5.3.4870-3_i386.deb
  to pool/main/f/firebird2/firebird2-super-server_1.5.3.4870-3_i386.deb
firebird2-utils-classic_1.5.3.4870-3_i386.deb
  to pool/main/f/firebird2/firebird2-utils-classic_1.5.3.4870-3_i386.deb
firebird2-utils-super_1.5.3.4870-3_i386.deb
  to pool/main/f/firebird2/firebird2-utils-super_1.5.3.4870-3_i386.deb
firebird2_1.5.3.4870-3.diff.gz
  to pool/main/f/firebird2/firebird2_1.5.3.4870-3.diff.gz
firebird2_1.5.3.4870-3.dsc
  to pool/main/f/firebird2/firebird2_1.5.3.4870-3.dsc
libfbclient1_1.5.3.4870-3_i386.deb
  to pool/main/f/firebird2/libfbclient1_1.5.3.4870-3_i386.deb
libfbembed1_1.5.3.4870-3_i386.deb
  to pool/main/f/firebird2/libfbembed1_1.5.3.4870-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 357580@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Damyan Ivanov <divanov@creditreform.bg> (supplier of updated firebird2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 20 Mar 2006 11:55:19 +0200
Source: firebird2
Binary: firebird2-utils-classic libfbclient1 firebird2-super-server libfbembed1 firebird2-dev firebird2-server-common firebird2-utils-super firebird2-examples firebird2-classic-server
Architecture: source i386
Version: 1.5.3.4870-3
Distribution: unstable
Urgency: high
Maintainer: Damyan Ivanov <divanov@creditreform.bg>
Changed-By: Damyan Ivanov <divanov@creditreform.bg>
Description: 
 firebird2-classic-server - Firebird Classic Server - an RDBMS based on InterBase 6.0 code
 firebird2-dev - Development files for Firebird - an RDBMS based on InterBase 6.0 
 firebird2-examples - Examples for Firebird - an RDBMS based on InterBase 6.0 code
 firebird2-server-common - Common files for Firebird - an RDBMS based on InterBase 6.0 code
 firebird2-super-server - Firebird Super Server - an RDBMS based on InterBase 6.0 code
 firebird2-utils-classic - Utilities for Firebird - an RDBMS based on InterBase 6.0 code
 firebird2-utils-super - Utilities for Firebird - an RDBMS based on InterBase 6.0 code
 libfbclient1 - Firebird client library
 libfbembed1 - Firebird embedded client/server library
Closes: 357580
Changes: 
 firebird2 (1.5.3.4870-3) unstable; urgency=high
 .
   * Urgency high due to fixed remote security vulnerability
 .
   * [security] Plumb remote pre-authetication crash. Possible code execution as
     user firebird. [src/jrd/unix.cpp]
     Closes: #357580
Files: 
 219bd2b3c26157399a06222addc3dcf7 1161 misc optional firebird2_1.5.3.4870-3.dsc
 923c903aa70996641f7706e499cec38a 504176 misc optional firebird2_1.5.3.4870-3.diff.gz
 59d6a06c73d6449e0557b9192b39c716 1268888 misc optional firebird2-super-server_1.5.3.4870-3_i386.deb
 cd081822afe202e18395ee648fc517ec 380444 misc optional firebird2-classic-server_1.5.3.4870-3_i386.deb
 0e3987deb975d3194167b8646ffe02c5 379952 libs optional libfbclient1_1.5.3.4870-3_i386.deb
 10c9bdeda041841e68bccd2bbe5a43de 1060356 libs optional libfbembed1_1.5.3.4870-3_i386.deb
 c6100f181e5131a619591e7485a87429 579978 misc optional firebird2-server-common_1.5.3.4870-3_i386.deb
 25837348b40824f03f5bd14f4c1c17f6 1064060 utils optional firebird2-utils-super_1.5.3.4870-3_i386.deb
 3537b65636a8f3531d272e918d631c62 1037282 utils optional firebird2-utils-classic_1.5.3.4870-3_i386.deb
 1ea89de40a3e045be2da6683961d0c52 271718 libdevel optional firebird2-dev_1.5.3.4870-3_i386.deb
 f18adcc4952ecbd8fbae315e92ccfcfe 342920 doc optional firebird2-examples_1.5.3.4870-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEHtEjpFNRmenyx0cRArTmAKCgHA8EXMGEOdpeSVMkNqyPYCkEkACg25k7
TlXinfqhO+GuBj/+IDuhARI=
=tg6L
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#357580; Package firebird2-super-server,libfbembed1. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #30 received at 357580@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Damyan Ivanov <divanov@creditreform.bg>
Cc: 357580@bugs.debian.org, team@security.debian.org
Subject: Re: firebird2-*-server: remotelly crashable
Date: Tue, 21 Mar 2006 09:24:11 +0100
Damyan Ivanov wrote:
> Here's a patch that fixes the crash. The fix is
> rather ugly IMHO, but this is what upstream proposed.

The patch looks good.  I've requested a CVE name as well,
will upload fixed packages for sarge tonight.

Regards,

	Joey

-- 
Of course, I didn't mean that, which is why I didn't say it.
What I meant to say, I said.              -- Thomas Bushnell

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#357580; Package firebird2-super-server,libfbembed1. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #35 received at 357580@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Damyan Ivanov <divanov@creditreform.bg>
Cc: 357580@bugs.debian.org, team@security.debian.org
Subject: Re: firebird2-*-server: remotelly crashable
Date: Tue, 21 Mar 2006 17:33:22 +0100
Damyan Ivanov wrote:
> Here's a patch that fixes the crash. The fix is
> rather ugly IMHO, but this is what upstream proposed.
> 
> Please apply it to stable version of firebird2.
> 
> Unstable package is due for upload.
> 
> More information (discovery, reproduction) on
> http://bugs.debian.org/358580

This is CVE-2004-2043, please mention it in the changelog when you're
doing the next upload.

Regards,

	Joey

-- 
Of course, I didn't mean that, which is why I didn't say it.
What I meant to say, I said.              -- Thomas Bushnell

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#357580; Package firebird2-super-server,libfbembed1. Full text and rfc822 format available.

Acknowledgement sent to Damyan Ivanov <divanov@creditreform.bg>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #40 received at 357580@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <divanov@creditreform.bg>
To: Martin Schulze <joey@infodrom.org>
Cc: 357580@bugs.debian.org, team@security.debian.org
Subject: Re: firebird2-*-server: remotelly crashable
Date: Tue, 21 Mar 2006 20:05:08 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Schulze wrote:
> This is CVE-2004-2043, please mention it in the changelog when you're

Great! Thanks.

> doing the next upload.

Sure.


- --
dam
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEIEBTHqjlqpcl9jsRAs3AAJ9xjwwGZvacmVd03iriLsp+8AvTLgCeLRvO
9dgrWRIPNB6rbPUOXbtU298=
=ArVD
-----END PGP SIGNATURE-----



Tags added: fixed-upstream Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 20:54:05 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 08:00:02 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.