Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 120343 - dev-db/firebird-1.5.3 deals with security issue
Summary: dev-db/firebird-1.5.3 deals with security issue
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Default Configs (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa] DerCorny
Keywords:
Depends on: 144224
Blocks:
  Show dependency tree
 
Reported: 2006-01-25 14:11 UTC by Carsten Lohrke (RETIRED)
Modified: 2007-05-20 16:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
firebird 1.5.3 ebuild (firebird-1.5.3.ebuild,6.35 KB, text/plain)
2006-01-26 12:22 UTC, andy
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2006-01-25 14:11:22 UTC
(1.5.3) Closed an Endemic Security Hole
Alex Peshkoff
Previously, a user could log into a server on a Unix/Linux host remotely, using a Linux UID and pass-
word accepted on that host. It was recognised as a security hole and fixed in Firebird 2 development.
It is an endemic security bug in previous versions and InterBase. The security fix has been back-por-
ted to Firebird 1.5.3: a UID received from the client side is now not trusted.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-25 14:16:44 UTC
please provide fixed ebuilds, thanks
Comment 2 andy 2006-01-26 12:22:35 UTC
Created attachment 78207 [details]
firebird 1.5.3 ebuild
Comment 3 andy 2006-01-26 12:23:55 UTC
(In reply to comment #2)
> Created an attachment (id=78207) [edit]
> firebird 1.5.3 ebuild
> 

ebuild requires:
cp files/firebird-1.5.2-build.patch files/firebird-1.5.3-build.patch
Comment 4 Karol Wojtaszek (RETIRED) gentoo-dev 2006-01-29 13:24:09 UTC
firebird-1.5.3 is now in portage
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-29 13:28:28 UTC
arches, please give us your blessing, thx
Comment 6 Mark Loeser (RETIRED) gentoo-dev 2006-01-30 17:10:54 UTC
x86 done
Comment 7 Láďa Durchánek 2006-01-31 03:26:02 UTC
Someone taking care about Firebird again? Nice, thanks
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2006-01-31 06:57:41 UTC
sparc stable.
Comment 9 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-31 07:28:36 UTC
ready for glsa vote, tend to a yes here.
Comment 10 Karol Wojtaszek (RETIRED) gentoo-dev 2006-02-01 04:47:58 UTC
i'm for yes
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-02-01 13:16:35 UTC
I vote NO as upstream doesn't even mention it in their 1.5.3 release blurb. Though you find this note if you dig deep enough:

    * Fixed unregistered security related bugs.
        1) Server crashed when too long filename is provided
        2) No longer trust UID received from the client side
        3) isc_user_* functions worked wrongly under "superuser" account on win32
      Contributor(s):
        Alex Peshkov <peshkoff at mail.ru>
Comment 12 Carsten Lohrke (RETIRED) gentoo-dev 2006-02-01 15:30:46 UTC
Looking at their 2.0 roadmap
Comment 13 Carsten Lohrke (RETIRED) gentoo-dev 2006-02-01 15:30:46 UTC
Looking at their 2.0 roadmap¹ it sounds like there are more security relevant issues with the 1.5.x code. The exact wording is " Weak security and many known vulnerabilities".


[1] http://firebird.sourceforge.net/devel/engine/roadmap2006.html
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-02-01 22:50:48 UTC
I suggest we mask it until we have a fixed version then.
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-02-06 12:27:13 UTC
Security please comment.
Comment 16 Stefan Cornelius (RETIRED) gentoo-dev 2006-02-08 10:53:39 UTC
yes, masking seems like a good idea.
Comment 17 Carsten Lohrke (RETIRED) gentoo-dev 2006-02-08 11:35:19 UTC
(In reply to comment #15)
> yes, masking seems like a good idea.
> 

That would implicate quite some other packages to mask or remove Firebird support from the relevant ebuilds. Given that Firebird is not that widely used and if, then more likely in a restircted environment, I'd say a post install warning should do it. Especially since we do not have specific information.
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-02-08 22:12:19 UTC
Please provide an appropriate post install message.
Comment 19 Carsten Lohrke (RETIRED) gentoo-dev 2006-02-09 13:20:14 UTC
(In reply to comment #17)
> Please provide an appropriate post install message.
> 

Sune, that was just my opinion, weighing the implications of possible malicious sql code or whatever may cause problems against some unwanted extra work. A possible message would be "The developers of Firebird attest their 1.5.x code base weak security, so please take this into account when using this database." It's of course Karol's and the security herds voices that count. :)
Comment 20 Karol Wojtaszek (RETIRED) gentoo-dev 2006-02-17 04:25:47 UTC
I'm for information. Masking it would impact many users, because firebird is widely used. It's not a good idea to mask it, really.
Comment 21 Stefan Cornelius (RETIRED) gentoo-dev 2006-02-23 08:03:52 UTC
Ok, if masking is no good idea then I'd say make a big fat warning, something one simply *has* to see while emerging so we can get rid of this bug. We might send an informational glsa too, but no clue about our usual methods in such cases.
Comment 22 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-03-18 06:26:03 UTC
After some reconsideration I'm not too much in favour of post-install message. If it really has these problems it ought to be masked according to policy.

Perhaps we should poke upstream about more details? 
Comment 23 Carsten Lohrke (RETIRED) gentoo-dev 2006-03-19 05:34:44 UTC
Packages affected by masking would be:

dev-db/hk_classes
dev-db/jxtray
dev-db/libdbi-drivers
dev-java/jdbc2-firebird
dev-java/jdbc3-firebird
dev-libs/ibpp
dev-php5/pecl-pdo-firebird
dev-python/kinterbasdb
dev-python/orm
dev-python/sqlobject
dev-ruby/ruby-dbi
gnome-extra/libgda
x11-libs/qt
x11-libs/qt-embedded
Comment 24 Aron Griffis (RETIRED) gentoo-dev 2006-03-23 07:30:29 UTC
firebird and ia64 don't presently mix at all, so I've marked them all -ia64, and ia64 is no longer affected by this bug
Comment 25 Matthias Geerdsen (RETIRED) gentoo-dev 2006-12-13 03:39:08 UTC
been a little silent here...

So what do we do with this one now... current stable version in the tree is 1.5.3-r1. Firebird 2.0 has officially been published last month it seems.

Suggestions?
Comment 26 Wolf Giesen (RETIRED) gentoo-dev 2006-12-13 04:08:35 UTC
Wrong track, firebird's a database ^_^
Comment 27 Matthias Geerdsen (RETIRED) gentoo-dev 2006-12-13 04:25:17 UTC
i know ;-)

Even though one could confuse the versions with thunderbird et al., firebird has similar versions (s. http://www.firebirdsql.org/)
Comment 28 Matthias Geerdsen (RETIRED) gentoo-dev 2007-01-17 20:09:55 UTC
long time no comments here

It seems the only reason for this bug to be open is comment #13 right?

So do we want a notice in the ebuild or do we ignore the statement in the roadmap or are there any open publically known security issues open?
Comment 29 Carsten Lohrke (RETIRED) gentoo-dev 2007-05-09 16:19:08 UTC
I've committed 1.5.4 plus some debian patches including a fix for a remotely triggerable crash. It starts, but didn't test really.

There're more bugs than this one, though and Karol is completely inactive. Need to find a new maintainer (definitely not me) or have to go the unpleasing way to remove it as dependency from other packages and finally Firebird itself, I suppose.
Comment 30 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-10 06:00:27 UTC
@carlo, thx for the response, I've mailed -dev for assistance.

Arches please test and mark stable.
Comment 31 Gustavo Zacarias (RETIRED) gentoo-dev 2007-05-11 13:50:08 UTC
firebird is USE.masked on sparc, and there's also bug #177916, recommendations?
Comment 32 Raúl Porcel (RETIRED) gentoo-dev 2007-05-11 16:03:36 UTC
wfm...x86 stable
Comment 33 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-14 17:56:21 UTC
Let's wait and see wether the sparc sandbox issues are solved before taking GLSA decision.
Comment 34 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-05-15 02:56:38 UTC
Access violations have been resolved. I would like to remove all versions < 1.5.4-r2. Requesting all archs stabilize that version, firebird-1.5.4-r2.

amd64 arch: Firebird was previously stable on that arch then was moved back to ~arch due to some questionable recommendations from upstream. Which are resolved in 1.5.4. Thus requesting rush stabilization even though it's not been 30 days in ~arch.
Comment 35 Christian Faulhammer (RETIRED) gentoo-dev 2007-05-15 06:27:26 UTC
x86/amd64 stable
Comment 36 Carsten Lohrke (RETIRED) gentoo-dev 2007-05-15 10:34:13 UTC
Eh, sorry for commiting an ebuild with access violations. :( No idea, why it didn't hit me.
Comment 37 Ferris McCormick (RETIRED) gentoo-dev 2007-05-15 11:55:32 UTC
firebird-1.5.4-r2 stable on sparc.
Comment 38 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-15 12:06:06 UTC
This one is ready for GLSA decision. I tend to vote NO.
Comment 39 Matt Drew (RETIRED) gentoo-dev 2007-05-19 13:01:20 UTC
I'll vote no, unless someone has a better issue than this one that got fixed.
Comment 40 Vic Fryzel (shellsage) (RETIRED) gentoo-dev 2007-05-20 15:36:51 UTC
I definitely vote no.
Comment 41 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-20 16:08:07 UTC
Let's kill this one off. Closing with NO GLSA.