Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 208034

Summary: dev-db/firebird: < "username" buffer overflow (CVE-2008-0387,CVE-2008-0467)
Product: Gentoo Security Reporter: Raphael Marichez (Falco) (RETIRED) <falco>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: wltjr
Priority: High Keywords: InVCS
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa] Falco
Package list:
Runtime testing required: ---
Description Flags
firebird- CVE-2008-0467 patch none

Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-01-29 12:51:45 UTC

please see

And Secunia Adv. SA28596
Comment 1 Lars Hartmann 2008-02-06 09:20:09 UTC
due to CVE-2008-01-28 this vuln is also fixed in 2.0.4 - maintainer please provide an updated ebuild.

could someone please add "CVE-2008-01-28" to the summary, i dont have the needed permissions
Comment 2 Lars Hartmann 2008-02-06 09:23:30 UTC
there is another CVE:
CVE-2008-0467 this one is only fixed in 2.1RC1, maintainers - please advice

(could someone also add that CVE-Name to the summary?)
Comment 3 William L. Thomson Jr. (RETIRED) gentoo-dev 2008-02-06 15:51:21 UTC
Need to update to 2.0.4 for this one, 2.1.x is ok

This needs 2.0.4 and 2.1RC1

2.0.4 isn't even on the horizon. Same with 1.5.6, but we have no 1.5.x in tree., So not sure what to say about 2.0.4. I will see about bumping 2.1.x to 2.1RC1 ASAP. Likely later today or tomorrow. But that's a pre-release version so really is kinda moot. Shouldn't be used in production, won't go stable, etc.

I don't think we should mask Firebird at this time. But really have no way to address 2.0.3.x short of a backport/patch.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-10 14:33:43 UTC
Willaim any news on this one?
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-02-11 23:43:04 UTC
The patches are linked within the Firebird bug report (see URL) and they should apply cleanly to 2.0.3. Please patch.
Comment 6 William L. Thomson Jr. (RETIRED) gentoo-dev 2008-02-13 18:59:49 UTC
Commited 2.1.0 rc1, which is not subject to this vulnerability. Removed past 2.1.0 version that was vulnerable. Still have to make patch for 2.0.3, and will do so ASAP. Couldn't find a unified on from bug link, so will have to fetch files/patches and create my own unified one.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-02-13 19:11:50 UTC
I admit it's a little hidden. On these overview pages:

You find every changed file. Either use the CVS revisions to extract a patch, or click "(+X -Y lines)" and the link named "Patch" at the top. This will give you one unified diff. Merging those into one patch should work too.
Comment 8 William L. Thomson Jr. (RETIRED) gentoo-dev 2008-02-13 21:59:31 UTC
Will get to this before end of my day, sometime in the next 8 hours or so. Thanks for the pointers on fetching the patches/diffs.
Comment 9 William L. Thomson Jr. (RETIRED) gentoo-dev 2008-02-18 02:13:56 UTC
Working on this. Made two patches, the one for CVE-2008-0387 is good to go. The one for CVE-2008-0467 makes compile fail. So working on that atm. Might commit the one then the other worse case. Sorry for the delay been busy.
Comment 10 William L. Thomson Jr. (RETIRED) gentoo-dev 2008-02-18 21:50:18 UTC
Created attachment 143904 [details, diff]
firebird- CVE-2008-0467 patch

Here is the patch for CVE-2008-0467. Need some help with this one. It applies fine, but makes compile fail :(

make[2]: Entering directory `/tmp/portage/dev-db/firebird-'
x86_64-pc-linux-gnu-g++ -O2 -msse -msse2 -msse3 -march=k8 -mtune=k8 -minline-all-stringops -O2 -msse -msse2 -msse3 -march=k8 -mtune=k8 -minline-all-stringops -I../src/include/gen -I../src/include -I../src/vulcan -DNAMESPACE=Vulcan -ggdb -O3 -fno-omit-frame-pointer -DNDEBUG -DLINUX -DAMD64 -pipe -MMD -fPIC -fmessage-length=0 -DPROD_BUILD -O2 -msse -msse2 -msse3 -march=k8 -mtune=k8 -minline-all-stringops -I../src/include/gen -I../src/include -I../src/vulcan -DNAMESPACE=Vulcan -ggdb -O3 -fno-omit-frame-pointer -DNDEBUG -DLINUX -DAMD64 -pipe -MMD -fPIC -fmessage-length=0 -DPROD_BUILD -DSUPERSERVER -pthread -I../src/include/gen -I../src/include -I../src/vulcan -DNAMESPACE=Vulcan -ggdb -O3 -fno-omit-frame-pointer -DNDEBUG -DLINUX -DAMD64 -pipe -MMD -fPIC -fmessage-length=0 -DPROD_BUILD -c ../src/remote/inet_server.cpp -o ../temp/superserver/remote/inet_server.o
In file included from ../src/include/../jrd/gdsassert.h:24,
                 from ../src/include/../common/classes/tree.h:34,
                 from ../src/include/../common/classes/alloc.h:45,
                 from ../src/remote/../jrd/../common/classes/fb_string.h:39,
                 from ../src/remote/../jrd/isc_proto.h:28,
                 from ../src/remote/inet_server.cpp:40:
../src/include/../jrd/../jrd/gds_proto.h:37: warning: large integer implicitly truncated to unsigned type
../src/remote/inet_server.cpp:566: error: 'SignalSafeSemaphore' in namespace 'Firebird' does not name a type
../src/remote/inet_server.cpp: In function 'void* shutdown_thread(void*)':
../src/remote/inet_server.cpp:583: error: 'shutSem' was not declared in this scope
../src/remote/inet_server.cpp: In function 'void signal_term(int)':
../src/remote/inet_server.cpp:621: error: 'shutSem' was not declared in this scope
../src/remote/inet_server.cpp: In function 'void shutdown_fini()':
../src/remote/inet_server.cpp:650: error: 'shutSem' was not declared in this scope
make[2]: *** [../temp/superserver/remote/inet_server.o] Error 1
make[2]: Leaving directory `/tmp/portage/dev-db/firebird-'
make[1]: *** [fbserver] Error 2
make[1]: Leaving directory `/tmp/portage/dev-db/firebird-'
make: *** [firebird] Error 2

If someone can help out with the patch. And/or inform me of what I did wrong. Or need to do to fix. Would help out allot. Kinda stuck on this atm. Thanks

Just drop the file in firebird/files and add a line above the other patches in a 2.0.3 ebuild. Re-digest and emerge. Will allocate some more time to it tomorrow if no one beats me to it :)
Comment 11 William L. Thomson Jr. (RETIRED) gentoo-dev 2008-02-19 16:15:39 UTC
Ok went upstream for help on this. Damyan Ivanov <> was kind enough to provide the patch they are using on Debian. I just tested that it applied and compiled filed. I just committed it to tree along with patch for CVE-2008-0387. So we should be good to go now :)

Although the Debian patch is a little smaller than mine. So not sure what's up with that. (There is a patch for a file for windows or etc in mine, but not sure that accounts for size diff )

I did also find out from upstream about the compile error

"SignalSafeSemaphore is surely from another fix - it was needed when porting to 
Solaris, Darwin or may be something else that does not support timeouts in 
posix semaphores. Rename it bak to Semaphore and compile error will be gone."

So I might try that with my patch and swap out patches. Maybe going to ask about the differences with upstream. But either way is address. I guess we can look to stabilize this one. Or wait a day or so to see if I change out patches. Just wanted to get a fix in tree sooner than later. Since I was already slacking on this.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-20 08:34:41 UTC
Thx William. Could you clarify which versions are targets for stable?
Comment 13 William L. Thomson Jr. (RETIRED) gentoo-dev 2008-02-20 19:46:18 UTC
firebird- is patched, also doesn't used hard coded cflags like -r4. Main differences between that version and current stable.

Haven't had a chance to diff patches yet, but if I do that will be -r6 and will comment accordingly. Will see about looking into that now.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-21 07:38:10 UTC

Arches please test and mark stable. Target keywords are:

firebird-"amd64 -ia64 x86"
Comment 15 Christian Faulhammer (RETIRED) gentoo-dev 2008-02-21 08:21:18 UTC
x86 stable
Comment 16 Steve Dibb (RETIRED) gentoo-dev 2008-02-25 15:49:50 UTC
I fixed the multilib issues best I could on the one ebuild, amd64 stable
Comment 17 Peter Volkov (RETIRED) gentoo-dev 2008-02-25 17:52:04 UTC
Fixed in release snapshot.
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-25 20:05:43 UTC
Request filed.
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2008-03-03 00:11:30 UTC
GLSA 200803-02