Summary: | dev-db/firebird: < 2.0.3.12981.0-r5 "username" buffer overflow (CVE-2008-0387,CVE-2008-0467) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Raphael Marichez (Falco) (RETIRED) <falco> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | major | CC: | wltjr | ||||
Priority: | High | Keywords: | InVCS | ||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://tracker.firebirdsql.org/browse/CORE-1603 | ||||||
Whiteboard: | B1 [glsa] Falco | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Raphael Marichez (Falco) (RETIRED)
2008-01-29 12:51:45 UTC
due to CVE-2008-01-28 this vuln is also fixed in 2.0.4 - maintainer please provide an updated ebuild. could someone please add "CVE-2008-01-28" to the summary, i dont have the needed permissions there is another CVE: CVE-2008-0467 this one is only fixed in 2.1RC1, maintainers - please advice (could someone also add that CVE-Name to the summary?) Need to update to 2.0.4 for this one, 2.1.x is ok http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0387 This needs 2.0.4 and 2.1RC1 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0467 2.0.4 isn't even on the horizon. Same with 1.5.6, but we have no 1.5.x in tree., So not sure what to say about 2.0.4. I will see about bumping 2.1.x to 2.1RC1 ASAP. Likely later today or tomorrow. But that's a pre-release version so really is kinda moot. Shouldn't be used in production, won't go stable, etc. I don't think we should mask Firebird at this time. But really have no way to address 2.0.3.x short of a backport/patch. Willaim any news on this one? The patches are linked within the Firebird bug report (see URL) and they should apply cleanly to 2.0.3. Please patch. Commited 2.1.0 rc1, which is not subject to this vulnerability. Removed past 2.1.0 version that was vulnerable. Still have to make patch for 2.0.3, and will do so ASAP. Couldn't find a unified on from bug link, so will have to fetch files/patches and create my own unified one. I admit it's a little hidden. On these overview pages: http://tracker.firebirdsql.org/browse/CORE-1681?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel http://tracker.firebirdsql.org/browse/CORE-1603?page=com.atlassian.jira.plugin.system.issuetabpanels:cvs-tabpanel You find every changed file. Either use the CVS revisions to extract a patch, or click "(+X -Y lines)" and the link named "Patch" at the top. This will give you one unified diff. Merging those into one patch should work too. Will get to this before end of my day, sometime in the next 8 hours or so. Thanks for the pointers on fetching the patches/diffs. Working on this. Made two patches, the one for CVE-2008-0387 is good to go. The one for CVE-2008-0467 makes compile fail. So working on that atm. Might commit the one then the other worse case. Sorry for the delay been busy. Created attachment 143904 [details, diff]
firebird-2.0.3.12981.0 CVE-2008-0467 patch
Here is the patch for CVE-2008-0467. Need some help with this one. It applies fine, but makes compile fail :(
make[2]: Entering directory `/tmp/portage/dev-db/firebird-2.0.3.12981.0-r5/work/Firebird-2.0.3.12981-0/gen'
x86_64-pc-linux-gnu-g++ -O2 -msse -msse2 -msse3 -march=k8 -mtune=k8 -minline-all-stringops -O2 -msse -msse2 -msse3 -march=k8 -mtune=k8 -minline-all-stringops -I../src/include/gen -I../src/include -I../src/vulcan -DNAMESPACE=Vulcan -ggdb -O3 -fno-omit-frame-pointer -DNDEBUG -DLINUX -DAMD64 -pipe -MMD -fPIC -fmessage-length=0 -DPROD_BUILD -O2 -msse -msse2 -msse3 -march=k8 -mtune=k8 -minline-all-stringops -I../src/include/gen -I../src/include -I../src/vulcan -DNAMESPACE=Vulcan -ggdb -O3 -fno-omit-frame-pointer -DNDEBUG -DLINUX -DAMD64 -pipe -MMD -fPIC -fmessage-length=0 -DPROD_BUILD -DSUPERSERVER -pthread -I../src/include/gen -I../src/include -I../src/vulcan -DNAMESPACE=Vulcan -ggdb -O3 -fno-omit-frame-pointer -DNDEBUG -DLINUX -DAMD64 -pipe -MMD -fPIC -fmessage-length=0 -DPROD_BUILD -c ../src/remote/inet_server.cpp -o ../temp/superserver/remote/inet_server.o
In file included from ../src/include/../jrd/gdsassert.h:24,
from ../src/include/../common/classes/tree.h:34,
from ../src/include/../common/classes/alloc.h:45,
from ../src/remote/../jrd/../common/classes/fb_string.h:39,
from ../src/remote/../jrd/isc_proto.h:28,
from ../src/remote/inet_server.cpp:40:
../src/include/../jrd/../jrd/gds_proto.h:37: warning: large integer implicitly truncated to unsigned type
../src/remote/inet_server.cpp:566: error: 'SignalSafeSemaphore' in namespace 'Firebird' does not name a type
../src/remote/inet_server.cpp: In function 'void* shutdown_thread(void*)':
../src/remote/inet_server.cpp:583: error: 'shutSem' was not declared in this scope
../src/remote/inet_server.cpp: In function 'void signal_term(int)':
../src/remote/inet_server.cpp:621: error: 'shutSem' was not declared in this scope
../src/remote/inet_server.cpp: In function 'void shutdown_fini()':
../src/remote/inet_server.cpp:650: error: 'shutSem' was not declared in this scope
make[2]: *** [../temp/superserver/remote/inet_server.o] Error 1
make[2]: Leaving directory `/tmp/portage/dev-db/firebird-2.0.3.12981.0-r5/work/Firebird-2.0.3.12981-0/gen'
make[1]: *** [fbserver] Error 2
make[1]: Leaving directory `/tmp/portage/dev-db/firebird-2.0.3.12981.0-r5/work/Firebird-2.0.3.12981-0/gen'
make: *** [firebird] Error 2
If someone can help out with the patch. And/or inform me of what I did wrong. Or need to do to fix. Would help out allot. Kinda stuck on this atm. Thanks
Just drop the file in firebird/files and add a line above the other patches in a 2.0.3 ebuild. Re-digest and emerge. Will allocate some more time to it tomorrow if no one beats me to it :)
Ok went upstream for help on this. Damyan Ivanov <dmn@debian.org> was kind enough to provide the patch they are using on Debian. I just tested that it applied and compiled filed. I just committed it to tree along with patch for CVE-2008-0387. So we should be good to go now :) Although the Debian patch is a little smaller than mine. So not sure what's up with that. (There is a patch for a file for windows or etc in mine, but not sure that accounts for size diff ) I did also find out from upstream about the compile error "SignalSafeSemaphore is surely from another fix - it was needed when porting to Solaris, Darwin or may be something else that does not support timeouts in posix semaphores. Rename it bak to Semaphore and compile error will be gone." So I might try that with my patch and swap out patches. Maybe going to ask about the differences with upstream. But either way is address. I guess we can look to stabilize this one. Or wait a day or so to see if I change out patches. Just wanted to get a fix in tree sooner than later. Since I was already slacking on this. Thx William. Could you clarify which versions are targets for stable? firebird-2.0.3.12981.0-r5 is patched, also doesn't used hard coded cflags like -r4. Main differences between that version and current stable. Haven't had a chance to diff patches yet, but if I do that will be -r6 and will comment accordingly. Will see about looking into that now. Thx. Arches please test and mark stable. Target keywords are: firebird-2.0.3.12981.0-r5.ebuild:KEYWORDS="amd64 -ia64 x86" x86 stable I fixed the multilib issues best I could on the one ebuild, amd64 stable Fixed in release snapshot. Request filed. GLSA 200803-02 |