190833 2007-08-31 00:18 0000 dev-db/firebird < 2.0.2 Multiple Vulnerabilities (CVE-2007-{466[456789],5246}) 2007-10-07 11:18:04 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/26615/ B3 [noglsa] P2 minor --- 1 mjf@gentoo.org security@gentoo.org drizzt@gentoo.org max.dittrich@t-online.de wltjr@gentoo.org mjf@gentoo.org 2007-08-31 00:18:15 0000 Some vulnerabilities have been reported in Firebird, where some have unknown impact and others can be exploited by malicious users to cause a DoS (Denial of Service). 1) An error exists in the processing of event registration requests. This can potentially be exploited by a client application connected via XNET to crash the Firebird server by registering several events in parallel. 2) An error exists in the processing of network packets. This can potentially be exploited to increase the CPU load to a high value and consume large amounts of memory by sending large network packets containing garbage data. 3) An unspecified error exists in the processing of Service API calls. This can be exploited to cause a DoS on the affected Firebird server. 4) An unspecified vulnerability with unknown impact exists in the processing of "attach database" and "create database" commands when the passed filename is larger than "MAX_PATH_LEN". The vulnerabilities are reported in versions prior to 2.0.2. mjf@gentoo.org 2007-08-31 00:20:03 0000 Cc'ing maintainers and setting whiteboard status. wltjr@gentoo.org 2007-08-31 01:34:11 0000 Wasn't even aware of release. I will see about bumping asap. I was in the process of moving to opt. Guess I will pause on that for now. wltjr@gentoo.org 2007-08-31 04:23:25 0000 Ok, I have bumped the ebuild and it compiled and seems to be good to go. If others can test, and if no problems we can look to rush stabilize. fauli@gentoo.org 2007-09-08 21:42:37 0000 arches, please stabilise dev-db/firebird-2.0.2.12964.0 maekke@gentoo.org 2007-09-09 13:31:42 0000 x86 stable jakub@gentoo.org 2007-09-12 09:24:59 0000 *** Bug 192274 has been marked as a duplicate of this bug. *** jakub@gentoo.org 2007-09-12 09:26:38 0000 Firebird 2.0.2 is Recalled The Firebird 2.0.2 release has been recalled due to a significant regression that has shown up (Tracker Issue CORE-1434). Our sincere apologies for the inconvenience. A release candidate for v.2.0.3 will follow shortly. http://tracker.firebirdsql.org/browse/CORE-1434 (2.0.3_rc1 is out, BTW). wltjr@gentoo.org 2007-09-12 19:59:00 0000 (In reply to comment #7) > Firebird 2.0.2 is Recalled Yeah not sure what's going on with apps I love and have never had issues with. ASSP and Firebird :( > (2.0.3_rc1 is out, BTW). Not really. It's a pre-release, and I can't download sources. :( http://www.firebirdsql.org/index.php?op=files&id=fb203_rc1 404 jakub@gentoo.org 2007-09-13 08:45:48 0000 (In reply to comment #8) > Not really. It's a pre-release, and I can't download sources. :( > > http://www.firebirdsql.org/index.php?op=files&id=fb203_rc1 Works fine here. wltjr@gentoo.org 2007-09-13 13:53:27 0000 (In reply to comment #9) > > Works fine here. So you can download sources? http://www.firebirdsql.org/download/prerelease/Firebird-2.0.3.12981-0.tar.bz2 404 rbu@gentoo.org 2007-09-13 14:09:08 0000 (In reply to comment #10) > So you can download sources? > http://www.firebirdsql.org/download/prerelease/Firebird-2.0.3.12981-0.tar.bz2 > 404 The link is wrong, but this works: http://www.firebirdsql.org/download/prerelease/source/Firebird-2.0.3.12981-0.tar.bz2 wltjr@gentoo.org 2007-09-13 14:40:21 0000 ok, thanks, a URL is what I needed for ebuild :) wltjr@gentoo.org 2007-09-13 22:14:03 0000 Ok pre-release committed to tree. I didn't tag it as such atm. Should be moot since if upstream does another 2.0.3 release, the build number will have gone up :) rbu@gentoo.org 2007-09-14 00:35:02 0000 Thanks William. Arches, please test and stabilize dev-db/firebird-2.0.3.12981.0. Target keywords: "amd64 x86" maekke@gentoo.org 2007-09-15 14:47:47 0000 x86 stable angelos@gentoo.org 2007-09-16 14:17:21 0000 amd64 stable fauli@gentoo.org 2007-09-16 16:52:58 0000 If severity level stays that way, glsa voting is now open. rbu@gentoo.org 2007-09-23 17:18:37 0000 In case of a GLSA, there's also CVE-2007-4669 not covered by the Secunia advisory. You might want to review it, too. jaervosz@gentoo.org 2007-09-24 16:30:30 0000 I tend to vote NO. py@gentoo.org 2007-09-25 09:38:58 0000 I tend to vote NO too, though the 4th "unspecified issue" with the MAX_PATH_LEN might imply code execution :/ falco@gentoo.org 2007-10-02 21:30:18 0000 I usually vote noglsa for unspecified vulnerabilities with unknown impact. Plus, the DoS vulnerabilities by opening several connections or sending large packets could happen all the time. Perhaps, there is CVE-2007-4669, but i don't know if the logfile would provide much sensible information. I vote no, and closing. Feel free to reopen if you disagree. wltjr@gentoo.org 2007-10-02 21:43:31 0000 Just as further info, unless a user is doing something abnormal with logging sensitive stuff to the log file. Having access to it's contents is quite moot IMHO. It hardly reveals much if anything. Other than maybe if someone were beating on a db server trying to take it down. While viewing logs at the same time to see any signs of distress.