Bug#357580: firebird2-*-server: remotelly crashable
Damyan Ivanov wrote: Here's a patch that fixes the crash. The fix is rather ugly IMHO, but this is what upstream proposed. The patch looks good. I've requested a CVE name as well, will upload fixed packages for sarge tonight. Regards, Joey -- Of course, I didn't mean that, which is why I didn't say it. What I meant to say, I said. -- Thomas Bushnell Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#357580: firebird2-*-server: remotelly crashable
Damyan Ivanov wrote: Here's a patch that fixes the crash. The fix is rather ugly IMHO, but this is what upstream proposed. Please apply it to stable version of firebird2. Unstable package is due for upload. More information (discovery, reproduction) on http://bugs.debian.org/358580 This is CVE-2004-2043, please mention it in the changelog when you're doing the next upload. Regards, Joey -- Of course, I didn't mean that, which is why I didn't say it. What I meant to say, I said. -- Thomas Bushnell Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#357580: firebird2-*-server: remotelly crashable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin Schulze wrote: This is CVE-2004-2043, please mention it in the changelog when you're Great! Thanks. doing the next upload. Sure. - -- dam -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEIEBTHqjlqpcl9jsRAs3AAJ9xjwwGZvacmVd03iriLsp+8AvTLgCeLRvO 9dgrWRIPNB6rbPUOXbtU298= =ArVD -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Processed: Bug#357580: firebird2-*-server: remotelly crashable
Processing commands for [EMAIL PROTECTED]: tag 357580 forwarded http://sourceforge.net/tracker/index.php?func=detailaid=1282031group_id=9028atid=109028 Unknown tag/s: forwarded, http://sourceforge.net/tracker/index.php?func=detailaid=1282031group_id=9028atid=109028. Recognized are: patch wontfix moreinfo unreproducible fixed potato woody sid help security upstream pending sarge sarge-ignore experimental d-i confirmed ipv6 lfs fixed-in-experimental fixed-upstream l10n etch etch-ignore. Bug#357580: firebird2-*-server: remotelly crashable Tags were: help security Tags added: thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Processed: Bug#357580: firebird2-*-server: remotelly crashable
Processing commands for [EMAIL PROTECTED]: forwarded 357580 http://sourceforge.net/tracker/index.php?func=detailaid=1282031group_id=9028atid=109028 Bug#357580: firebird2-*-server: remotelly crashable Noted your statement that Bug has been forwarded to http://sourceforge.net/tracker/index.php?func=detailaid=1282031group_id=9028atid=109028. tags 357580 upstream Bug#357580: firebird2-*-server: remotelly crashable Tags were: help security Tags added: upstream found 357580 1.5.1-4 Bug#357580: firebird2-*-server: remotelly crashable Bug marked as found in version 1.5.1-4. thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#357580: firebird2-*-server: remotelly crashable
reassign 357580 firebird2-super-server,libfbembed1 thanks Hi, Here's a patch that fixes the crash. The fix is rather ugly IMHO, but this is what upstream proposed. Please apply it to stable version of firebird2. Unstable package is due for upload. More information (discovery, reproduction) on http://bugs.debian.org/358580 Thanks, dam -- Damyan Ivanov Creditreform Bulgaria [EMAIL PROTECTED] http://www.creditreform.bg/ phone: +359(2)928-2611, 929-3993fax: +359(2)920-0994 mob. +359(88)856-6067 [EMAIL PROTECTED]/Gaim #! /bin/sh /usr/share/dpatch/dpatch-run ## security-remote-preauth-crash.dpatch by [EMAIL PROTECTED] ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: No description. @DPATCH@ diff -urNad firebird2-1.5.3.4870~/src/jrd/unix.cpp firebird2-1.5.3.4870/src/jrd/unix.cpp --- firebird2-1.5.3.4870~/src/jrd/unix.cpp 2004-03-29 06:50:11.0 +0300 +++ firebird2-1.5.3.4870/src/jrd/unix.cpp 2006-03-20 11:46:53.0 +0200 @@ -643,6 +643,8 @@ if (string) { ptr = string; if (length) { +if (length = sizeof(temp)) length = sizeof(temp) - 1; + MOVE_FAST(string, temp, length); temp[length] = 0; ptr = temp; @@ -651,6 +653,8 @@ else { ptr = file_name; if (file_length) { +if (file_length = sizeof(temp)) file_length = sizeof(temp) - 1; + MOVE_FAST(file_name, temp, file_length); temp[file_length] = 0; ptr = temp; signature.asc Description: OpenPGP digital signature
Bug#357580: firebird2-*-server: remotelly crashable
Package: firebird2-super-server,firebird2-classic-server Version: 1.5.3.4870-2 Severity: critical Tags: security help Justification: root security hole As noted in [1], fbserver (the daemon listening for TCP, found in firebird2-super-server, source package firebird2) crashes if given too long database name. The crash occurs *before* authentication and thus does not require knowledge of a valid database user/password. [1] https://sourceforge.net/tracker/?func=detailatid=109028aid=1282031group_id=9028 securityfocus' advisory[2] claims version 1.5 is not vulnerable, but I've just reproduced the crash using 1.5.2-10 that is in Debian/sarge and etch. Upstream claimed[1] that this is fixed in 1.5.3, but I can still reproduce it with 1.5.3.4870-2 from yesterday, which was supposed to fix other (local) buffer overflows (see #357173). [2] http://www.securityfocus.com/bid/10446/discuss === How to reproduce === $ gsec -database localhost:`perl -e'print (Ax300)'` \ -user doesnt -passwd matter invalid switch specified error in switch specifications Unable to complete network request to host localhost. Error reading data from the connection. unable to open database Unable to complete network request usually means that the server has crashed. And indeed, looking at /var/log/firebird.log gives: amd64 (Client) Sat Mar 18 10:52:19 2006 /usr/lib/firebird2/bin/fbguard: bin/fbserver terminated abnormally (-1) So the server has crashed. Same happens with firebird2-classic-server, only there is nothing in firebird.log I am yet to verify the pristine upstream builds (without debian patches) and report it to upstream. Any help for these tasks from people knowing firebird (preferably subscribed to firebird-devel) is warmly appretiated. --- dam -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.13+reiser4+dam.1 Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8) Versions of packages firebird2-super-server depends on: ii adduser 3.85 Add and remove users and groups ii firebird2-server-common 1.5.3.4870-2 Common files for Firebird - an RDB ii libc6 2.3.6-3 GNU C Library: Shared libraries an ii libfbclient11.5.3.4870-2 Firebird client library ii libgcc1 1:4.0.3-1GCC support library ii libncurses5 5.5-1Shared libraries for terminal hand ii libstdc++6 4.0.3-1 The GNU Standard C++ Library v3 firebird2-super-server recommends no packages. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]