Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!

Full Text Bug Listing

Hi,

please see http://tracker.firebirdsql.org/browse/CORE-1603

And Secunia Adv. SA28596

due to CVE-2008-01-28 this vuln is also fixed in 2.0.4 - maintainer please
provide an updated ebuild.

could someone please add "CVE-2008-01-28" to the summary, i dont have the
needed permissions

there is another CVE:
CVE-2008-0467 this one is only fixed in 2.1RC1, maintainers - please advice

(could someone also add that CVE-Name to the summary?)

Need to update to 2.0.4 for this one, 2.1.x is ok
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0387

This needs 2.0.4 and 2.1RC1
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0467

2.0.4 isn't even on the horizon. Same with 1.5.6, but we have no 1.5.x in
tree., So not sure what to say about 2.0.4. I will see about bumping 2.1.x to
2.1RC1 ASAP. Likely later today or tomorrow. But that's a pre-release version
so really is kinda moot. Shouldn't be used in production, won't go stable, etc.

I don't think we should mask Firebird at this time. But really have no way to
address 2.0.3.x short of a backport/patch.

Willaim any news on this one?

The patches are linked within the Firebird bug report (see URL) and they should
apply cleanly to 2.0.3. Please patch.

Commited 2.1.0 rc1, which is not subject to this vulnerability. Removed past
2.1.0 version that was vulnerable. Still have to make patch for 2.0.3, and will
do so ASAP. Couldn't find a unified on from bug link, so will have to fetch
files/patches and create my own unified one.

I admit it's a little hidden. On these overview pages:
http://tracker.firebirdsql.org/browse/CORE-1681?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
http://tracker.firebirdsql.org/browse/CORE-1603?page=com.atlassian.jira.plugin.system.issuetabpanels:cvs-tabpanel

You find every changed file. Either use the CVS revisions to extract a patch,
or click "(+X -Y lines)" and the link named "Patch" at the top. This will give
you one unified diff. Merging those into one patch should work too.

Will get to this before end of my day, sometime in the next 8 hours or so.
Thanks for the pointers on fetching the patches/diffs.

Working on this. Made two patches, the one for CVE-2008-0387 is good to go. The
one for CVE-2008-0467 makes compile fail. So working on that atm. Might commit
the one then the other worse case. Sorry for the delay been busy.

Created an attachment (id=143904) [details]
firebird-2.0.3.12981.0 CVE-2008-0467 patch

Here is the patch for CVE-2008-0467. Need some help with this one. It applies
fine, but makes compile fail :(

make[2]: Entering directory
`/tmp/portage/dev-db/firebird-2.0.3.12981.0-r5/work/Firebird-2.0.3.12981-0/gen'
x86_64-pc-linux-gnu-g++ -O2 -msse -msse2 -msse3 -march=k8 -mtune=k8
-minline-all-stringops -O2 -msse -msse2 -msse3 -march=k8 -mtune=k8
-minline-all-stringops -I../src/include/gen -I../src/include -I../src/vulcan
-DNAMESPACE=Vulcan -ggdb -O3 -fno-omit-frame-pointer -DNDEBUG -DLINUX -DAMD64
-pipe -MMD -fPIC -fmessage-length=0 -DPROD_BUILD -O2 -msse -msse2 -msse3
-march=k8 -mtune=k8 -minline-all-stringops -I../src/include/gen
-I../src/include -I../src/vulcan -DNAMESPACE=Vulcan -ggdb -O3
-fno-omit-frame-pointer -DNDEBUG -DLINUX -DAMD64 -pipe -MMD -fPIC
-fmessage-length=0 -DPROD_BUILD -DSUPERSERVER -pthread -I../src/include/gen
-I../src/include -I../src/vulcan -DNAMESPACE=Vulcan -ggdb -O3
-fno-omit-frame-pointer -DNDEBUG -DLINUX -DAMD64 -pipe -MMD -fPIC
-fmessage-length=0 -DPROD_BUILD -c ../src/remote/inet_server.cpp -o
../temp/superserver/remote/inet_server.o
In file included from ../src/include/../jrd/gdsassert.h:24,
                 from ../src/include/../common/classes/tree.h:34,
                 from ../src/include/../common/classes/alloc.h:45,
                 from ../src/remote/../jrd/../common/classes/fb_string.h:39,
                 from ../src/remote/../jrd/isc_proto.h:28,
                 from ../src/remote/inet_server.cpp:40:
../src/include/../jrd/../jrd/gds_proto.h:37: warning: large integer implicitly
truncated to unsigned type
../src/remote/inet_server.cpp:566: error: 'SignalSafeSemaphore' in namespace
'Firebird' does not name a type
../src/remote/inet_server.cpp: In function 'void* shutdown_thread(void*)':
../src/remote/inet_server.cpp:583: error: 'shutSem' was not declared in this
scope
../src/remote/inet_server.cpp: In function 'void signal_term(int)':
../src/remote/inet_server.cpp:621: error: 'shutSem' was not declared in this
scope
../src/remote/inet_server.cpp: In function 'void shutdown_fini()':
../src/remote/inet_server.cpp:650: error: 'shutSem' was not declared in this
scope
make[2]: *** [../temp/superserver/remote/inet_server.o] Error 1
make[2]: Leaving directory
`/tmp/portage/dev-db/firebird-2.0.3.12981.0-r5/work/Firebird-2.0.3.12981-0/gen'
make[1]: *** [fbserver] Error 2
make[1]: Leaving directory
`/tmp/portage/dev-db/firebird-2.0.3.12981.0-r5/work/Firebird-2.0.3.12981-0/gen'
make: *** [firebird] Error 2

If someone can help out with the patch. And/or inform me of what I did wrong.
Or need to do to fix. Would help out allot. Kinda stuck on this atm. Thanks

Just drop the file in firebird/files and add a line above the other patches in
a 2.0.3 ebuild. Re-digest and emerge. Will allocate some more time to it
tomorrow if no one beats me to it :)

Ok went upstream for help on this. Damyan Ivanov <dmn@debian.org> was kind
enough to provide the patch they are using on Debian. I just tested that it
applied and compiled filed. I just committed it to tree along with patch for
CVE-2008-0387. So we should be good to go now :)

Although the Debian patch is a little smaller than mine. So not sure what's up
with that. (There is a patch for a file for windows or etc in mine, but not
sure that accounts for size diff )

I did also find out from upstream about the compile error

"SignalSafeSemaphore is surely from another fix - it was needed when porting to 
Solaris, Darwin or may be something else that does not support timeouts in 
posix semaphores. Rename it bak to Semaphore and compile error will be gone."

So I might try that with my patch and swap out patches. Maybe going to ask
about the differences with upstream. But either way is address. I guess we can
look to stabilize this one. Or wait a day or so to see if I change out patches.
Just wanted to get a fix in tree sooner than later. Since I was already
slacking on this.

Thx William. Could you clarify which versions are targets for stable?

firebird-2.0.3.12981.0-r5 is patched, also doesn't used hard coded cflags like
-r4. Main differences between that version and current stable.

Haven't had a chance to diff patches yet, but if I do that will be -r6 and will
comment accordingly. Will see about looking into that now.

Thx.

Arches please test and mark stable. Target keywords are:

firebird-2.0.3.12981.0-r5.ebuild:KEYWORDS="amd64 -ia64 x86"

x86 stable

I fixed the multilib issues best I could on the one ebuild, amd64 stable

Fixed in release snapshot.

Request filed.

GLSA 200803-02