Debian Bug report logs - #441405
Several Firebird vulnerabilities discovered

version graph

Package: firebird2.0; Maintainer for firebird2.0 is (unknown);

Reported by: Thijs Kinkhorst <thijs@debian.org>

Date: Sun, 9 Sep 2007 14:12:01 UTC

Severity: grave

Tags: security

Fixed in version firebird2.0/2.0.3.12981.ds1-1

Done: Damyan Ivanov <dmn@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#441405; Package firebird2.0. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: submit@bugs.debian.org
Subject: Several Firebird vulnerabilities discovered
Date: Sun, 9 Sep 2007 16:08:29 +0200
[Message part 1 (text/plain, inline)]
Package: firebird2.0
Severity: grave
Tags: security


Hi,

Several new vulnerabilities have been discovered and fixed in Firebird. The 
following are reported:

CVE-2007-3527: Integer overflow in Firebird 2.0.0 allows remote authenticated 
users to cause a denial of service (CPU consumption) via certain database 
operations with multi-byte character sets that trigger an attempt to use the 
value 65536 for a 16-bit integer, which is treated as 0 and causes an 
infinite loop on zero-length data.

CVE-2007-4664: Unspecified vulnerability in the (1) attach database and (2) 
create database functionality in Firebird before 2.0.2, when a filename 
exceeds MAX_PATH_LEN, has unknown impact and attack vectors, aka CORE-1405.

CVE-2007-4665: Unspecified vulnerability in the server in Firebird before 
2.0.2 allows remote attackers to cause a denial of service (daemon crash) via 
an XNET session that makes multiple simultaneous requests to register events, 
aka CORE-1403.

CVE-2007-4666: Unspecified vulnerability in the server in Firebird before 
2.0.2, when a Superserver/TCP/IP environment is configured, allows remote 
attackers to cause a denial of service (CPU and memory consumption) 
via "large network packets with garbage", aka CORE-1397. 

CVE-2007-4667: Unspecified vulnerability in the Services API in Firebird 
before 2.0.2 allows remote attackers to cause a denial of service, aka 
CORE-1149.

CVE-2007-4668: Unspecified vulnerability in the server in Firebird before 
2.0.2 allows remote attackers to determine the existence of arbitrary files, 
and possibly obtain other "file access," via unknown vectors, aka CORE-1312.

CVE-2007-4669: The Services API in Firebird before 2.0.2 allows remote 
authenticated users without SYSDBA privileges to read the server log 
(firebird.log), aka CORE-1148.

Please see:

http://security-tracker.debian.net/tracker/source-package/firebird2.0
http://security-tracker.debian.net/tracker/source-package/firebird2
http://security-tracker.debian.net/tracker/source-package/firebird1.5

and the links from there, for detailed information on these issues.

As I see it, these are all or mostly all fixed upstream. For unstable, you 
could therefore probably suffice with uploading this new upstream release. 
Please mention any CVE id's when fixing these issues. 

For sarge and etch, it needs to be verified which ones apply and how they can 
be fixed.



thanks
Thijs

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#441405; Package firebird2.0. Full text and rfc822 format available.

Acknowledgement sent to Damyan Ivanov <dam@modsoftsys.com>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 441405@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <dam@modsoftsys.com>
To: 441405@bugs.debian.org
Subject: Re: #441405: Several Firebird vulnerabilities discovered
Date: Mon, 10 Sep 2007 10:42:46 +0300
[Message part 1 (text/plain, inline)]
tags 441405 pending
thanks

Hi, Thijs,

Thanks for taking time to follow security bulletins and reporting these
issues.

All these are supposed to be fixed in the 2.0.3 release, which I am
preparing upload of. I'll use urgency=medium instead of high because of
two reasons:
 1) this is new upstream release (although minor)
 2) it is actually a pre-release, that is expected to be released
     without changes unless severe problems appear

Now, why  not 2.0.2 then? Because there were a bad regression in it.
2.0.3 is released just to fix this.

All the issues are present in the 1.5 series (source package firebird2
in etch, source package firebird1.5 in lenny/sid), but fixing them is
not possible. There are other security issues with 1.5 series (#438855)
and fixing these is very hard as upstream no longer supports them and
backporting patches is impossible due to the severe changes between 1.5
and 2.0.

Because of the above, 1.5 series are pending removal from Debian (see
#438862)
-- 
dam            JabberID: dam@jabber.minus273.org

[signature.asc (application/pgp-signature, attachment)]

Tags added: pending Request was from Damyan Ivanov <dam@modsoftsys.com> to control@bugs.debian.org. (Mon, 10 Sep 2007 07:46:05 GMT) Full text and rfc822 format available.

Reply sent to Damyan Ivanov <dmn@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #17 received at 441405-close@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <dmn@debian.org>
To: 441405-close@bugs.debian.org
Subject: Bug#441405: fixed in firebird2.0 2.0.3.12981.ds1-1
Date: Mon, 10 Sep 2007 13:17:04 +0000
Source: firebird2.0
Source-Version: 2.0.3.12981.ds1-1

We believe that the bug you reported is fixed in the latest version of
firebird2.0, which is due to be installed in the Debian FTP archive:

firebird-utils_2.0.3.12981.ds1-1_all.deb
  to pool/main/f/firebird2.0/firebird-utils_2.0.3.12981.ds1-1_all.deb
firebird2.0-classic_2.0.3.12981.ds1-1_i386.deb
  to pool/main/f/firebird2.0/firebird2.0-classic_2.0.3.12981.ds1-1_i386.deb
firebird2.0-common_2.0.3.12981.ds1-1_i386.deb
  to pool/main/f/firebird2.0/firebird2.0-common_2.0.3.12981.ds1-1_i386.deb
firebird2.0-dev_2.0.3.12981.ds1-1_all.deb
  to pool/main/f/firebird2.0/firebird2.0-dev_2.0.3.12981.ds1-1_all.deb
firebird2.0-doc_2.0.3.12981.ds1-1_all.deb
  to pool/main/f/firebird2.0/firebird2.0-doc_2.0.3.12981.ds1-1_all.deb
firebird2.0-examples_2.0.3.12981.ds1-1_all.deb
  to pool/main/f/firebird2.0/firebird2.0-examples_2.0.3.12981.ds1-1_all.deb
firebird2.0-super_2.0.3.12981.ds1-1_i386.deb
  to pool/main/f/firebird2.0/firebird2.0-super_2.0.3.12981.ds1-1_i386.deb
firebird2.0_2.0.3.12981.ds1-1.diff.gz
  to pool/main/f/firebird2.0/firebird2.0_2.0.3.12981.ds1-1.diff.gz
firebird2.0_2.0.3.12981.ds1-1.dsc
  to pool/main/f/firebird2.0/firebird2.0_2.0.3.12981.ds1-1.dsc
firebird2.0_2.0.3.12981.ds1.orig.tar.gz
  to pool/main/f/firebird2.0/firebird2.0_2.0.3.12981.ds1.orig.tar.gz
libfbclient2_2.0.3.12981.ds1-1_i386.deb
  to pool/main/f/firebird2.0/libfbclient2_2.0.3.12981.ds1-1_i386.deb
libfbembed2_2.0.3.12981.ds1-1_i386.deb
  to pool/main/f/firebird2.0/libfbembed2_2.0.3.12981.ds1-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 441405@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Damyan Ivanov <dmn@debian.org> (supplier of updated firebird2.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 10 Sep 2007 15:27:59 +0300
Source: firebird2.0
Binary: firebird-utils libfbembed2 firebird2.0-dev firebird2.0-doc libfbclient2 firebird2.0-classic firebird2.0-common firebird2.0-super firebird2.0-examples
Architecture: source all i386
Version: 2.0.3.12981.ds1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>
Changed-By: Damyan Ivanov <dmn@debian.org>
Description: 
 firebird-utils - manager for multiple Firebird utilities versions
 firebird2.0-classic - Firebird Classic Server - an RDBMS based on InterBase 6.0 code
 firebird2.0-common - common files for firebird 2.0 servers and clients
 firebird2.0-dev - Development files for Firebird - an RDBMS based on InterBase 6.0 
 firebird2.0-doc - Documentation files for firebird database version 2.0
 firebird2.0-examples - Examples for Firebird - an RDBMS based on InterBase 6.0 code
 firebird2.0-super - Firebird Super Server - an RDBMS based on InterBase 6.0 code
 libfbclient2 - Firebird client library
 libfbembed2 - Firebird embedded client/server library
Closes: 441405
Changes: 
 firebird2.0 (2.0.3.12981.ds1-1) unstable; urgency=medium
 .
   * New upstream relese-candidate
   * Contains fixes for the following security issues: CVE-2007-3527,
     CVE-2007-4664, CVE-2007-4665, CVE-2007-4666, CVE-2007-4667, CVE-2007-4668,
     CVE-2007-4669.
     (Closes: #441405) -- Several Firebird vulnerabilities discovered
   * Refreshed patches
     cvs-client-crash-on-remote-shutdown.patch
     no-rpath.patch
     link-as-needed
     fix-os-detection.patch
     inet-trust-localhost.patch
     create-run-dir.patch
     use-debian-icu.patch
     use-debian-editline.patch
     cvs-powerpc-double-define.patch
   * Dropped patches not needed any more
     + link-with-g++.patch -- upstream reorg
     + cvs-common_classes_alloc.cpp-unaligned.patch -- included in the
       release
     + cvs-jrd.cpp-crash-on-srervices-and-conventional-api-usage.patch --
       included in the release
     + cvs-sparc-jrd_sort.patch -- included in the release
     + cvs-remote-alignment.patch -- included in the release
   * autoboot.patch -- re-generated
   * Updated debian/get-orig-source.sh
     + use pre-release upstream download area
   * Applied patch to Hungarian translation from Tamas TEVESZ
   * debian/make_packages.sh - deduce upstream version from debian/changelog to
     avoid the need of manually changing a variable after each new upstream
     release
   * Updated debian/watch with new pre-release URLs; more version mangling
   * Dropped unused lintian overrides
   * Drop libgds.so compatibility symlink (upstream dropped it after 1.5)
Files: 
 6cca5eaf187129748a85b3b3c2b364a1 1036 misc optional firebird2.0_2.0.3.12981.ds1-1.dsc
 635360c67963099772207cf54ad096fc 7019232 misc optional firebird2.0_2.0.3.12981.ds1.orig.tar.gz
 6bf4e873afe7f770fef19cd7d60ab9a5 399413 misc optional firebird2.0_2.0.3.12981.ds1-1.diff.gz
 fd2353804894f32b959cba14c16b7f95 392554 utils optional firebird-utils_2.0.3.12981.ds1-1_all.deb
 8774e99eaa7c10740b609f6706fb8926 435980 libdevel optional firebird2.0-dev_2.0.3.12981.ds1-1_all.deb
 ad83bd40dc66a2561dd5877ee633c2f7 534108 doc optional firebird2.0-examples_2.0.3.12981.ds1-1_all.deb
 59917e85e585f247ed428dc77e568480 1237372 doc optional firebird2.0-doc_2.0.3.12981.ds1-1_all.deb
 f8aa465536f4230880acdf71930f8fe9 2814378 misc optional firebird2.0-super_2.0.3.12981.ds1-1_i386.deb
 84f5e3612ff9051777aa751f35eb8c94 1677816 misc extra firebird2.0-classic_2.0.3.12981.ds1-1_i386.deb
 03fc61c633cbd30cbde38dc57fda17e9 610036 libs optional libfbclient2_2.0.3.12981.ds1-1_i386.deb
 3938780032b0ac2bbc21840695be86b3 1470078 libs optional libfbembed2_2.0.3.12981.ds1-1_i386.deb
 a07d7add6a5dad70241aea0396962e11 893624 misc optional firebird2.0-common_2.0.3.12981.ds1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG5UIYHqjlqpcl9jsRAoX/AJ9LwNJX3VKgcJ3KYPzaD7o1Z/ZV1ACfdZA0
qZnpWT26j0B6Ctdcg6jdJhE=
=Vulu
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 15 Oct 2007 07:30:27 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 04:19:51 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.