Debian Bug report logs - #438855
firebird1.x is not supported by upstream any more

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2006-7211 to 7214 : unfixed in firebird1.5

Date: Wed, 11 Jul 2007 21:13:05 +0200

Package: firebird1.5
Severity: normal
Tags: security


These issues are reported to be fixed in 2.0, but I can't find any references in
the changelogs that they are fixed in 1.5:


CVE-2006-7214

Multiple unspecified vulnerabilities in Firebird 1.5 allow remote attackers to
(1) cause a denial of service (application crash) by sending many remote
protocol versions; and (2) cause a denial of service (connection drop) via
certain network traffic, as demonstrated by Nessus vulnerability scanning.

CVE-2006-7213

Firebird 1.5 allows remote authenticated users without SYSDBA and owner
permissions to overwrite a database by creating a database.

CVE-2006-7212

Multiple buffer overflows in Firebird 1.5, one of which affects WNET, have
unknown impact and attack vectors. NOTE: this issue might overlap CVE-2006-1240.

CVE-2006-7211

fb_lock_mgr in Firebird 1.5 uses weak permissions (0666) for the semaphore
array, which allows local users to cause a denial of service (blocked query
processing) by locking semaphores.



http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7211
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7212
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7213
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7214

Message #10 received at 432753@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: 432753@bugs.debian.org

Subject: CVE-2006-7211 already fixed

Date: Wed, 11 Jul 2007 21:19:19 +0200

Hi,

it seems I was wrong about CVE-2006-7211, which is probably #362001 
fixed in 1.5.3.4870-4.

Cheers,
Stefan

Message #15 received at 432753@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <dam@modsoftsys.com>

To: Stefan Fritsch <sf@sfritsch.de>, 432753@bugs.debian.org

Subject: Re: [pkg-firebird-general] Bug#432753: CVE-2006-7211 already fixed

Date: Thu, 12 Jul 2007 13:49:21 +0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -=| Stefan Fritsch, 11.07.2007 22:19 |=-

Hi, Stefan,

Thank you very much for taking time to investigate these CVEs.

> it seems I was wrong about CVE-2006-7211, which is probably #362001 
> fixed in 1.5.3.4870-4.

One less. This is good :)

If you have time, you may want to take a look ath
http://bugs.debian.org/src:firebird2

firebird2 was renamed to firebird1.5 after Etch release.

I am with limited connectivity until the end of the week.

If I may add one more wish, can you try to reproduce these bugs with
current firebird1.5 packages? Note there are two flavours -
firebird1.5-super and firebird1.5-classic.

Thanks again,
	dam
- --
Damyan Ivanov            JabberID: dam@jabber.minus273.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGlgcxHqjlqpcl9jsRArzLAKC5OlGdwZ6r0n0VZbcu/vPpCb7HVACfbi7y
34EQVT1B1DQ10GNSU5xqbHo=
=TfJG
-----END PGP SIGNATURE-----

Message #20 received at 432753@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Damyan Ivanov <dam@modsoftsys.com>

Cc: Stefan Fritsch <sf@sfritsch.de>, 432753@bugs.debian.org

Subject: Re: [pkg-firebird-general] Bug#432753: CVE-2006-7211 already fixed

Date: Mon, 13 Aug 2007 00:49:59 +0200

Damyan Ivanov wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - -=| Stefan Fritsch, 11.07.2007 22:19 |=-
> 
> Hi, Stefan,
> 
> Thank you very much for taking time to investigate these CVEs.

It's been a month now. Is firebird in stable affected?

If you can't figure it out yourself as the maintainer you need to
contact upstream.

Cheers,
        Moritz

Message #25 received at 432753@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <dam@modsoftsys.com>

To: firebird-devel@lists.sourceforge.net

Cc: 432753@bugs.debian.org

Subject: Old 1.5 security issues question

Date: Tue, 14 Aug 2007 23:33:07 +0300

Dear Firebird developers,

I've got a bug report for the debian packages for firebrid 1.5 that I
can't handle myself. I would be grateful for some insights.

http://bugs.debian.org/432753

There is some uncertainty about four CVE issues with regard of their
presence in Firebird 1.5.3.

Two of these
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7213
    CVE-2006-7213
    Firebird 1.5 allows remote authenticated users without SYSDBA and
    owner permissions to overwrite a database by creating a database.
and
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7211
    CVE-2006-7211
    fb_lock_mgr in Firebird 1.5 uses weak permissions (0666) for the
    semaphore array, which allows local users to cause a denial of
    service (blocked query processing) by locking semaphores.
are unreproducible with Debian packages and thus are not that interesting.

The other two, however are rather unclear as of how to reproduce or
whether they are fixed in 1.5.3 (or 1.5.4) so I'd appreciate your comments:

    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7214
    CVE-2006-7214
    Multiple unspecified vulnerabilities in Firebird 1.5 allow remote
    attackers to (1) cause a denial of service (application crash) by
    sending many remote protocol versions; and (2) cause a denial of
    service (connection drop) via certain network traffic, as
    demonstrated by Nessus vulnerability scanning.

    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7212
    CVE-2006-7212
    Multiple buffer overflows in Firebird 1.5, one of which affects
    WNET, have unknown impact and attack vectors. NOTE: this issue might
    overlap CVE-2006-1240.

As far as I can tell, the existence of the issues is deduced from
firebird 2.0 release notes, which are not very clear about what exactly
the problem is and how to reproduce it.

Your comments are much appreciated. Please carbon-copy
432753@bugs.debian.org in your replies.
-- 
dam                   JabberID: dam@jabber.minus273.org

Message #30 received at 432753@bugs.debian.org (full text, mbox, reply):

From: Alex Peshkov <peshkoff@mail.ru>

To: firebird-devel@lists.sourceforge.net

Cc: 432753@bugs.debian.org

Subject: Re: [Firebird-devel] Old 1.5 security issues question

Date: Wed, 15 Aug 2007 10:32:22 +0400

On Wednesday 15 August 2007 00:33, Damyan Ivanov wrote:
> Dear Firebird developers,
>
> I've got a bug report for the debian packages for firebrid 1.5 that I
> can't handle myself. I would be grateful for some insights.
>

//....

> The other two, however are rather unclear as of how to reproduce or
> whether they are fixed in 1.5.3 (or 1.5.4) so I'd appreciate your comments:

In brief - firebird 1.5 is not supported any more. It was decided not to have 
any more point releases of it.

>     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7214
>     CVE-2006-7214
>     Multiple unspecified vulnerabilities in Firebird 1.5 allow remote
>     attackers to (1) cause a denial of service (application crash) by
>     sending many remote protocol versions; and (2) cause a denial of
>     service (connection drop) via certain network traffic, as
>     demonstrated by Nessus vulnerability scanning.

This one in theory can be fixed - backporting from HEAD is possible.

>     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7212
>     CVE-2006-7212
>     Multiple buffer overflows in Firebird 1.5, one of which affects
>     WNET, have unknown impact and attack vectors. NOTE: this issue might
>     overlap CVE-2006-1240.

They are so multiple that it's close to impossible to backport them. Moreover, 
fixes for some of them are based on new collection of classes, introduced in 
2.0. I.e. firebird after fixing all BOFs will not be 1.5 any more :)

> As far as I can tell, the existence of the issues is deduced from
> firebird 2.0 release notes, which are not very clear about what exactly
> the problem is and how to reproduce it.
>
> Your comments are much appreciated. Please carbon-copy
> 432753@bugs.debian.org in your replies.

Alex.

Message #35 received at 432753@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <dam@modsoftsys.com>

To: firebird-devel@lists.sourceforge.net

Cc: 432753@bugs.debian.org

Subject: Re: [Firebird-devel] Old 1.5 security issues question

Date: Wed, 15 Aug 2007 10:05:15 +0300

[please keep Cc: 432753@bugs.debian.org as before. Thanks!]

Hi, Alex,

Thank you for taking time to reply.

-=| Alex Peshkov, 15.08.2007 09:32 |=-
> On Wednesday 15 August 2007 00:33, Damyan Ivanov wrote:

> In brief - firebird 1.5 is not supported any more. It was decided not to have 
> any more point releases of it.

Understood.

>>     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7214
>>     CVE-2006-7214
>>     Multiple unspecified vulnerabilities in Firebird 1.5 allow remote
>>     attackers to (1) cause a denial of service (application crash) by
>>     sending many remote protocol versions; and (2) cause a denial of
>>     service (connection drop) via certain network traffic, as
>>     demonstrated by Nessus vulnerability scanning.
> 
> This one in theory can be fixed - backporting from HEAD is possible.

OK. I don't require that you make the porting. I just need some clues
about what exactly the problems are (instructions how to reproduce them
would be nice) and where to look at for fixes. Is this feasible?
I really would not want to take too much time from you.

>>     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7212
>>     CVE-2006-7212
>>     Multiple buffer overflows in Firebird 1.5, one of which affects
>>     WNET, have unknown impact and attack vectors. NOTE: this issue might
>>     overlap CVE-2006-1240.
> 
> They are so multiple that it's close to impossible to backport them. Moreover, 
> fixes for some of them are based on new collection of classes, introduced in 
> 2.0. I.e. firebird after fixing all BOFs will not be 1.5 any more :)

I see. Unfortunately we can't just drop 2.0 as a replacement for 1.5 in
Debian/stable, because "stable" is meant to not offer *any* surprises
and migration from 1.5 to 2.0 is far from trivial.

Can you estimate to what extentt 1.5.4 suffers from this, compared to 1.5.3?
-- 
dam            JabberID: dam@jabber.minus273.org

Message #40 received at 432753@bugs.debian.org (full text, mbox, reply):

From: Alex Peshkov <peshkoff@mail.ru>

To: firebird-devel@lists.sourceforge.net

Cc: 432753@bugs.debian.org

Subject: Re: [Firebird-devel] Old 1.5 security issues question

Date: Wed, 15 Aug 2007 11:27:39 +0400

On Wednesday 15 August 2007 11:05, Damyan Ivanov wrote:
> >>     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7214
> >>     CVE-2006-7214
> >>     Multiple unspecified vulnerabilities in Firebird 1.5 allow remote
> >>     attackers to (1) cause a denial of service (application crash) by
> >>     sending many remote protocol versions; and (2) cause a denial of
> >>     service (connection drop) via certain network traffic, as
> >>     demonstrated by Nessus vulnerability scanning.
> >
> > This one in theory can be fixed - backporting from HEAD is possible.
>
> OK. I don't require that you make the porting. I just need some clues
> about what exactly the problems are (instructions how to reproduce them
> would be nice) and where to look at for fixes. Is this feasible?
> I really would not want to take too much time from you.

No 1 is specially dangerous cause easy to reproduce (with 2.0 I failed to kill 
server with Nessus - may be did not run it long enough).
There is fixed size CNCT_VERSIONS plain-C array p_cnct_versions (see 
op_connect in protocol.cpp, bool_t xdr_protocol(XDR* xdrs, PACKET* p)). I 
think that comparing one from 1.5 and HEAD will give you clear idea what 
happens. To reliably reproduce an issue I was building a special client that 
was sending >10 kinds of suggested protocol to server. I did not keep it 
after fixing a bug.

> >>     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7212
> >>     CVE-2006-7212
> >>     Multiple buffer overflows in Firebird 1.5, one of which affects
> >>     WNET, have unknown impact and attack vectors. NOTE: this issue might
> >>     overlap CVE-2006-1240.
> >
> > They are so multiple that it's close to impossible to backport them.
> > Moreover, fixes for some of them are based on new collection of classes,
> > introduced in 2.0. I.e. firebird after fixing all BOFs will not be 1.5
> > any more :)
>
> I see. Unfortunately we can't just drop 2.0 as a replacement for 1.5 in
> Debian/stable, because "stable" is meant to not offer *any* surprises
> and migration from 1.5 to 2.0 is far from trivial.
>
> Can you estimate to what extentt 1.5.4 suffers from this, compared to
> 1.5.3?

Some are fixed, most not.

Message #45 received at 432753@bugs.debian.org (full text, mbox, reply):

From: Adriano dos Santos Fernandes <adrianosf@uol.com.br>

To: firebird-devel@lists.sourceforge.net

Cc: 432753@bugs.debian.org

Subject: Re: [Firebird-devel] Old 1.5 security issues question

Date: Wed, 15 Aug 2007 07:31:48 -0300

Damyan Ivanov escreveu:
> Dear Firebird developers,
>
> I've got a bug report for the debian packages for firebrid 1.5 that I
> can't handle myself. I would be grateful for some insights.
>
> http://bugs.debian.org/432753
>
> There is some uncertainty about four CVE issues with regard of their
> presence in Firebird 1.5.3.
>
> Two of these
>     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7213
>     CVE-2006-7213
>     Firebird 1.5 allows remote authenticated users without SYSDBA and
>     owner permissions to overwrite a database by creating a database.
>   
SF #1155520 - Any user can replace databases created by others


Adriano

Message #50 received at 432753@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <dam@modsoftsys.com>

To: adrianosf@uol.com.br

Cc: 432753@bugs.debian.org

Subject: Re: [pkg-firebird-general] Bug#432753: [Firebird-devel] Old 1.5 security issues question

Date: Wed, 15 Aug 2007 15:09:57 +0300

[Message part 1 (text/plain, inline)]

-=| Adriano dos Santos Fernandes, 15.08.2007 13:31 |=-
>>     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7213
>>     CVE-2006-7213
>>     Firebird 1.5 allows remote authenticated users without SYSDBA and
>>     owner permissions to overwrite a database by creating a database.
>> 
> SF #1155520 - Any user can replace databases created by others

Thanks, Adriano for the pointer.

I looked this up in CVS and I must admit that the change is not present
in 1.5.3 (stable) *and* 1.5.4 (unstable/testing). The code also gave me
a different attack vector. I'll try reproducing this soon.

Note to self: try to replace existing database with "gbak -r", being
non-owner, non-sysdba user.
-- 
dam            JabberID: dam@jabber.minus273.org

[signature.asc (application/pgp-signature, attachment)]

Message #55 received at 432753@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <dam@modsoftsys.com>

To: 432753@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: [pkg-firebird-general] Bug#432753: CVE-2006-7211 to 7214 : unfixed in firebird1.5

Date: Mon, 20 Aug 2007 13:29:03 +0300

[Message part 1 (text/plain, inline)]

clone 432753 -1 -2
retitle -2 firebird1.x is not supported by upstream any more
severity -2 serious
thanks

-=| Stefan Fritsch, 11.07.2007 22:13 |=-
> These issues are reported to be fixed in 2.0, but I can't find any references in
> the changelogs that they are fixed in 1.5:
> 
> 
> CVE-2006-7214
> 
> Multiple unspecified vulnerabilities in Firebird 1.5 allow remote attackers to
> (1) cause a denial of service (application crash) by sending many remote
> protocol versions; and (2) cause a denial of service (connection drop) via
> certain network traffic, as demonstrated by Nessus vulnerability scanning.
> 
> CVE-2006-7213
> 
> Firebird 1.5 allows remote authenticated users without SYSDBA and owner
> permissions to overwrite a database by creating a database.
> 
> CVE-2006-7212
> 
> Multiple buffer overflows in Firebird 1.5, one of which affects WNET, have
> unknown impact and attack vectors. NOTE: this issue might overlap CVE-2006-1240.
> 
> CVE-2006-7211
> 
> fb_lock_mgr in Firebird 1.5 uses weak permissions (0666) for the semaphore
> array, which allows local users to cause a denial of service (blocked query
> processing) by locking semaphores.

Here's the current status:

The first three affect all versions of the package
(sarge-etch-lenny-sid). Note that in lenny/sid the package is renamed to
firebird1.5, sarge and etch use firebird2 name.

CVE-2006-7211 was patched locally so debian packages are not vulnerable
in all suites.

CVE-2006-7214 and CVE-2006-7212 cannot be easily fixed. The upstream
release (2.0.x) that fixes these is a major rework and back-porting
means adopting the new release (quoting upstream, my impression too).
This is practically impossible for (old)stable. Even if we want to apply
the iceweasel approach, the new upstream release requires migration of
the databases so this is infeasible for stable/oldstable.

CVE-2006-7213 can be fixed by the patch based on that change

http://firebird.cvs.sourceforge.net/firebird/firebird2/src/jrd/jrd.cpp?r1=1.206&r2=1.207

I've consulted with upstream and decided to schedule firebird1.5 for
removal from unstable/testing because it is no longer supported by them.

I guess removing firebird2 from stable/oldstable is not an option? :/

I can prepare packages that fix CVE-2006-7213 for etch and sarge.
-7212 and -7214 can't be fixed, though. What do we do?
-- 
dam            JabberID: dam@jabber.minus273.org

[signature.asc (application/pgp-signature, attachment)]

Message #66 received at 438855@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <dmn@debian.org>

To: control@bugs.debian.org

Cc: 438854@bugs.debian.org, 438855@bugs.debian.org

Subject: merging 438854 438855

Date: Mon, 20 Aug 2007 13:35:58 +0300

# Automatically generated email from bts, devscripts version 2.10.7
# I needed one clone
merge 438854 438855

Message #73 received at 438855-done@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <dmn@debian.org>

To: 446472-done@bugs.debian.org, 446475-done@bugs.debian.org, 446373-done@bugs.debian.org, 438855-done@bugs.debian.org, 432753-done@bugs.debian.org

Subject: Closing security bugs of removed firebird1.5

Date: Fri, 23 Nov 2007 07:59:50 +0200

[Message part 1 (text/plain, inline)]

With the removal of firebird1.5 from the archive, its security bugs are
no longer a concern.

firebird1.5 is removed as upstream has no intent of providing any kind
of support to it, including security support.
-- 
dam            JabberID: dam@jabber.minus273.org

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.