Debian Bug report logs - #702735
firebird2.1: CVE-2013-2492: Request Processing Buffer Overflow Vulnerability

version graph

Package: src:firebird2.1; Maintainer for src:firebird2.1 is Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sun, 10 Mar 2013 21:15:01 UTC

Severity: grave

Tags: patch, security

Fixed in version firebird2.1/2.1.3.18185-0.ds1-11+squeeze1

Done: Damyan Ivanov <dmn@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#702735; Package src:firebird2.1. (Sun, 10 Mar 2013 21:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. (Sun, 10 Mar 2013 21:15:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: firebird2.1: CVE-2013-2492: Request Processing Buffer Overflow Vulnerability
Date: Sun, 10 Mar 2013 22:13:22 +0100
Source: firebird2.1
Severity: grave
Tags: security

Hi

the following vulnerability was published for firebird2.1.

CVE-2013-2492[0]:
Request Processing Buffer Overflow Vulnerability

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see also [1] and [2].

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2492
    http://security-tracker.debian.org/tracker/CVE-2013-2492
[1] http://tracker.firebirdsql.org/browse/CORE-4058
[2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2492


Thank you for looking into this.

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#702735; Package src:firebird2.1. (Mon, 11 Mar 2013 03:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Hideki Yamane <henrich@debian.or.jp>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. (Mon, 11 Mar 2013 03:33:03 GMT) Full text and rfc822 format available.

Message #10 received at 702735@bugs.debian.org (full text, mbox):

From: Hideki Yamane <henrich@debian.or.jp>
To: 702735@bugs.debian.org, 702736@bugs.debian.org
Subject: [patch]: firebird2.5: CVE-2013-2492: Request Processing Buffer Overflow Vulnerability
Date: Mon, 11 Mar 2013 12:30:30 +0900
[Message part 1 (text/plain, inline)]
Control: tags -1 +patch

Hi,

 fix cherry-picked from upstream svn repo, please check it.

-- 
Regards,

 Hideki Yamane     henrich @ debian.or.jp/org
 http://wiki.debian.org/HidekiYamane
[CVE-2013-2492.patch (text/x-diff, attachment)]

Added tag(s) patch. Request was from Hideki Yamane <henrich@debian.or.jp> to 702735-submit@bugs.debian.org. (Mon, 11 Mar 2013 03:33:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#702735; Package src:firebird2.1. (Tue, 12 Mar 2013 09:21:03 GMT) Full text and rfc822 format available.

Message #15 received at 702735@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <dmn@debian.org>
To: 702735@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#702735: firebird2.1: CVE-2013-2492: Request Processing Buffer Overflow Vulnerability
Date: Tue, 12 Mar 2013 11:13:51 +0200
[Message part 1 (text/plain, inline)]
(not a duplicate, firebird has two versions in squeeze)

-=| Salvatore Bonaccorso, 10.03.2013 22:13:22 +0100 |=-
> Source: firebird2.1
> Severity: grave
> Tags: security
> 
> Hi
> 
> the following vulnerability was published for firebird2.1.
> 
> CVE-2013-2492[0]:
> Request Processing Buffer Overflow Vulnerability
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see also [1] and [2].
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2492
>     http://security-tracker.debian.org/tracker/CVE-2013-2492
> [1] http://tracker.firebirdsql.org/browse/CORE-4058
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2492

Dear security team,

Please approve the uploading of firebird2.1 with the attached (source) 
diff from the version in squeeze.

Also attached is the binary diff.


Thanks,
    dam
[firebird2.1_2.1.3.18185-0.ds1-11+squeeze1-source.diff (text/x-diff, attachment)]
[firebird2.1_2.1.3.18185-0.ds1-11+squeeze1-deb.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Damyan Ivanov <dmn@debian.org>:
You have taken responsibility. (Sun, 17 Mar 2013 00:51:19 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 17 Mar 2013 00:51:19 GMT) Full text and rfc822 format available.

Message #20 received at 702735-close@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <dmn@debian.org>
To: 702735-close@bugs.debian.org
Subject: Bug#702735: fixed in firebird2.1 2.1.3.18185-0.ds1-11+squeeze1
Date: Sun, 17 Mar 2013 00:47:16 +0000
Source: firebird2.1
Source-Version: 2.1.3.18185-0.ds1-11+squeeze1

We believe that the bug you reported is fixed in the latest version of
firebird2.1, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 702735@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Damyan Ivanov <dmn@debian.org> (supplier of updated firebird2.1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 12 Mar 2013 10:30:31 +0200
Source: firebird2.1
Binary: firebird2.1-super firebird2.1-classic libfbembed2.1 firebird2.1-common firebird2.1-server-common firebird2.1-dev firebird2.1-examples firebird2.1-doc firebird2.1-common-doc
Architecture: source all amd64
Version: 2.1.3.18185-0.ds1-11+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>
Changed-By: Damyan Ivanov <dmn@debian.org>
Description: 
 firebird2.1-classic - Firebird Classic Server - an RDBMS based on InterBase 6.0 code
 firebird2.1-common - common files for firebird 2.1 servers and clients
 firebird2.1-common-doc - copyright, licensing and changelogs of firebird2.1
 firebird2.1-dev - Development files for Firebird - an RDBMS based on InterBase 6.0
 firebird2.1-doc - Documentation files for firebird database version 2.1
 firebird2.1-examples - Examples for Firebird - an RDBMS based on InterBase 6.0 code
 firebird2.1-server-common - common files for firebird 2.1 servers
 firebird2.1-super - Firebird Super Server - an RDBMS based on InterBase 6.0 code
 libfbembed2.1 - Firebird embedded client/server library
Closes: 702735
Changes: 
 firebird2.1 (2.1.3.18185-0.ds1-11+squeeze1) stable-security; urgency=high
 .
   * Apply patch from upstream revision r57728 (unfuzzied) fixing a remote
     unauthenticated stack overflow in the Firebird server (CVE-2013-2492)
     Closes: #702735
Checksums-Sha1: 
 952df5eacdc39926b4d03845d50cee91a6bbbfe1 2346 firebird2.1_2.1.3.18185-0.ds1-11+squeeze1.dsc
 4852c169b652d8ab27741c71bb29ed68cf3be311 7430001 firebird2.1_2.1.3.18185-0.ds1.orig.tar.gz
 f2ee2a059557c23474eba37c3d801b6575b33256 120674 firebird2.1_2.1.3.18185-0.ds1-11+squeeze1.diff.gz
 e22bb70d3cf472b3c7b7e5516334ba75ddd6dc17 58592 firebird2.1-dev_2.1.3.18185-0.ds1-11+squeeze1_all.deb
 2c32c124933a63f9224e099e5abc53df8b5e5a7d 164452 firebird2.1-examples_2.1.3.18185-0.ds1-11+squeeze1_all.deb
 e795a8a068258b52bb07d8fc45e61d62c1f9f751 974320 firebird2.1-doc_2.1.3.18185-0.ds1-11+squeeze1_all.deb
 ead3137e43d3caf339b9ec63ffdb847b0a664aff 471360 firebird2.1-common-doc_2.1.3.18185-0.ds1-11+squeeze1_all.deb
 1e8723bf21ce96dd7b1cc12e5831be723928e9d8 2966574 firebird2.1-super_2.1.3.18185-0.ds1-11+squeeze1_amd64.deb
 7629dcad565c4724fdec313559d0807139266da3 1576456 firebird2.1-classic_2.1.3.18185-0.ds1-11+squeeze1_amd64.deb
 6874b1d1028a13e5fa2ca2410158ef30bf10b504 1370008 libfbembed2.1_2.1.3.18185-0.ds1-11+squeeze1_amd64.deb
 9c8ef30ca3dfd3e8f715ab358ccba04d1f336734 470830 firebird2.1-common_2.1.3.18185-0.ds1-11+squeeze1_amd64.deb
 b8c7cb2820117d125c03d06f6d7b7210f5627295 135946 firebird2.1-server-common_2.1.3.18185-0.ds1-11+squeeze1_amd64.deb
Checksums-Sha256: 
 6618a9d0f1a533d3e95eb866c94e7bc34903d6ca8b90ced4e1d37a2e4db951fd 2346 firebird2.1_2.1.3.18185-0.ds1-11+squeeze1.dsc
 baff18a0a363997f74b2099b3f519689951b0dfbf5edbb089e592c1cf99c6ee5 7430001 firebird2.1_2.1.3.18185-0.ds1.orig.tar.gz
 952fd4cdb92a52d4dc606f891c997bc04c2f8b9c09861ecda26d29f1b710e5c9 120674 firebird2.1_2.1.3.18185-0.ds1-11+squeeze1.diff.gz
 c2921a5fb5e999f286a8524abbcf7006308db1f20472813bcfb23e201cc615d0 58592 firebird2.1-dev_2.1.3.18185-0.ds1-11+squeeze1_all.deb
 a3d5d4b57a7e00224e4aef45e4434f7a65b3dc620e95311cde6c49e1d03eb0d3 164452 firebird2.1-examples_2.1.3.18185-0.ds1-11+squeeze1_all.deb
 e3c50289a6fc04463671f3251afad864d5e3ca2a4ab76ae28a3227ff718e6953 974320 firebird2.1-doc_2.1.3.18185-0.ds1-11+squeeze1_all.deb
 2ca2ee07049e7df915ddcc507c658dd3fe3ca3957726451841b7abce20085561 471360 firebird2.1-common-doc_2.1.3.18185-0.ds1-11+squeeze1_all.deb
 a4b411ee3264fab089c87b9250cd67d527a1d386dae859df81f29e8ca1ea2808 2966574 firebird2.1-super_2.1.3.18185-0.ds1-11+squeeze1_amd64.deb
 49b436dc4afda5c8531c527c905b03d04f031f3d6ab148da8069152ba9c02d51 1576456 firebird2.1-classic_2.1.3.18185-0.ds1-11+squeeze1_amd64.deb
 7c06d7900c646a288b96a1c59bad7964422f83cdc08dba4808d79bc730508923 1370008 libfbembed2.1_2.1.3.18185-0.ds1-11+squeeze1_amd64.deb
 a5d07e7ab8b92a3ff66c34c22b1058b0b83cf9596b7c33e40034170725c82da0 470830 firebird2.1-common_2.1.3.18185-0.ds1-11+squeeze1_amd64.deb
 2b69425122a78326d8a68106c060fd5b3e38dca46b51cf3dc9f3706b7af13995 135946 firebird2.1-server-common_2.1.3.18185-0.ds1-11+squeeze1_amd64.deb
Files: 
 d6b129c500ce5eeba8393a585127d91d 2346 database optional firebird2.1_2.1.3.18185-0.ds1-11+squeeze1.dsc
 47d8281d4114e87a1896ffea3c346733 7430001 database optional firebird2.1_2.1.3.18185-0.ds1.orig.tar.gz
 2fd86ceffc4b4ec0e23299b5072411b2 120674 database optional firebird2.1_2.1.3.18185-0.ds1-11+squeeze1.diff.gz
 44c4baab0ea71854a8df88103ac0305b 58592 libdevel optional firebird2.1-dev_2.1.3.18185-0.ds1-11+squeeze1_all.deb
 fe712d71643d8bc8c374b94c8184273b 164452 doc optional firebird2.1-examples_2.1.3.18185-0.ds1-11+squeeze1_all.deb
 cb027eceb9a601c625bf21b79d341ae1 974320 doc optional firebird2.1-doc_2.1.3.18185-0.ds1-11+squeeze1_all.deb
 faba23d8d128835e3babbb13d92b886f 471360 doc optional firebird2.1-common-doc_2.1.3.18185-0.ds1-11+squeeze1_all.deb
 e6c01fb4fdf924aded6535df7d7ca6c2 2966574 database optional firebird2.1-super_2.1.3.18185-0.ds1-11+squeeze1_amd64.deb
 d0fa2d3b1c6122048cfca356fe643a79 1576456 database optional firebird2.1-classic_2.1.3.18185-0.ds1-11+squeeze1_amd64.deb
 41956728b21266d0e709e51ab3e2aba5 1370008 libs optional libfbembed2.1_2.1.3.18185-0.ds1-11+squeeze1_amd64.deb
 e1af85e3c9563ee8682d499b8cdc5df7 470830 database optional firebird2.1-common_2.1.3.18185-0.ds1-11+squeeze1_amd64.deb
 4faa2fb3382c2edc9f8d387001d46d51 135946 database optional firebird2.1-server-common_2.1.3.18185-0.ds1-11+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRQJzVAAoJENu+nU2Z0qAEEj0P/jdhTxzxyoTbIwO004rqOcrw
ZsyncDgGCOiWdGaHUZUtPupfvMq8jtIRP8mLLWnpKQGkucFLvjQ0F6lvY45ht0RL
hx+trjDyQWLoa+gUvxt+K8K+kMciVNnPr3eKhCbyGzf2vw5UbLe32OXFM6OBSon+
a9GF57FzHbR+0YNE4d3R36g0hw1iMSgH3cDx9oAp+iKwMqBJ/lQBjWmgwpo1ProP
gFUzPXRqc+bZfNRWoHpW5HQzEJQnrOz4qORMplKLsNyPs1gzOA2wFmnXninLk6iq
S7jsNwwpdmbqGvAFUoxkHO0zte1DqGRCBB5cyUvp9oXKo+xjT6ziC0OcigU1cLMk
GMbXoqiJVKAqAwNeWso7xxYyJtYacOGdtUe6RD4ihva5V9G4im9843gT4solzeBb
F7li0huEqO+zgO/dQ6w3dQwZCuPg1oC3WpcSk0GXhxui2Bq5H6iuDQP6v8JC3r3F
A89mrLt/qtHZ/qVYRirMhTxJ8VYnuhHfhVn1E7P1n2A+y1TSaizx/0/3ifStVr/s
c1bgwjxHNLkj+9qzXGzI2oyXqNRnhY+nBZbkXPp6lymQ5evgmKgW1nX4X7k+6A8Q
SMs5ivYJHRsGHuSSyaegBLC8Z87jUHeVcbm1lczQROmG7i1sSCwfXq9hGXs0824U
nCLovUC5+4DnWsFTttiI
=dsrW
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 May 2013 07:40:49 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 12:54:43 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.