Bugzilla Bug 190833

Some vulnerabilities have been reported in Firebird, where some have unknown
impact and others can be exploited by malicious users to cause a DoS (Denial of
Service).

1) An error exists in the processing of event registration requests. This can
potentially be exploited by a client application connected via XNET to crash
the Firebird server by registering several events in parallel.

2) An error exists in the processing of network packets. This can potentially
be exploited to increase the CPU load to a high value and consume large amounts
of memory by sending large network packets containing garbage data.

3) An unspecified error exists in the processing of Service API calls. This can
be exploited to cause a DoS on the affected Firebird server.

4) An unspecified vulnerability with unknown impact exists in the processing of
"attach database" and "create database" commands when the passed filename is
larger than "MAX_PATH_LEN".

The vulnerabilities are reported in versions prior to 2.0.2.

Cc'ing maintainers and setting whiteboard status.

Wasn't even aware of release. I will see about bumping asap. I was in the
process of moving to opt. Guess I will pause on that for now.

Ok, I have bumped the ebuild and it compiled and seems to be good to go. If
others can test, and if no problems we can look to rush stabilize.

arches, please stabilise dev-db/firebird-2.0.2.12964.0

x86 stable

*** Bug 192274 has been marked as a duplicate of this bug. ***

Firebird 2.0.2 is Recalled
The Firebird 2.0.2 release has been recalled due to a significant regression
that has shown up (Tracker Issue CORE-1434). Our sincere apologies for the
inconvenience. A release candidate for v.2.0.3 will follow shortly.

http://tracker.firebirdsql.org/browse/CORE-1434

(2.0.3_rc1 is out, BTW).

(In reply to comment #7)
> Firebird 2.0.2 is Recalled

Yeah not sure what's going on with apps I love and have never had issues with.
ASSP and Firebird :(

> (2.0.3_rc1 is out, BTW).

Not really. It's a pre-release, and I can't download sources. :(

http://www.firebirdsql.org/index.php?op=files&id=fb203_rc1

404

(In reply to comment #8)
> Not really. It's a pre-release, and I can't download sources. :(
> 
> http://www.firebirdsql.org/index.php?op=files&id=fb203_rc1

Works fine here.

(In reply to comment #9)
>
> Works fine here.

So you can download sources?

http://www.firebirdsql.org/download/prerelease/Firebird-2.0.3.12981-0.tar.bz2

404

(In reply to comment #10)
> So you can download sources?
> http://www.firebirdsql.org/download/prerelease/Firebird-2.0.3.12981-0.tar.bz2
> 404

The link is wrong, but this works:
http://www.firebirdsql.org/download/prerelease/source/Firebird-2.0.3.12981-0.tar.bz2

ok, thanks, a URL is what I needed for ebuild :)

Ok pre-release committed to tree. I didn't tag it as such atm. Should be moot
since if upstream does another 2.0.3 release, the build number will have gone
up :)

Thanks William. Arches, please test and stabilize
dev-db/firebird-2.0.3.12981.0.
Target keywords: "amd64 x86"

x86 stable

amd64 stable

If severity level stays that way, glsa voting is now open.

In case of a GLSA, there's also CVE-2007-4669 not covered by the Secunia
advisory. You might want to review it, too.

I tend to vote NO.

I tend to vote NO too, though the 4th "unspecified issue" with the MAX_PATH_LEN
might imply code execution :/

I usually vote noglsa for unspecified vulnerabilities with unknown impact.
Plus, the DoS vulnerabilities by opening several connections or sending large
packets could happen all the time.

Perhaps, there is CVE-2007-4669, but i don't know if the logfile would provide
much sensible information.

I vote no, and closing. Feel free to reopen if you disagree.

Just as further info, unless a user is doing something abnormal with logging
sensitive stuff to the log file. Having access to it's contents is quite moot
IMHO. It hardly reveals much if anything. Other than maybe if someone were
beating on a db server trying to take it down. While viewing logs at the same
time to see any signs of distress.