|Summary:||dev-db/firebird: < 188.8.131.5281.0-r5 "username" buffer overflow (CVE-2008-0387,CVE-2008-0467)|
|Product:||Gentoo Security||Reporter:||Raphael Marichez (Falco) (RETIRED) <falco>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B1 [glsa] Falco|
|Package list:||Runtime testing required:||---|
Description Raphael Marichez (Falco) (RETIRED) 2008-01-29 12:51:45 UTC
Hi, please see http://tracker.firebirdsql.org/browse/CORE-1603 And Secunia Adv. SA28596
Comment 1 Lars Hartmann 2008-02-06 09:20:09 UTC
due to CVE-2008-01-28 this vuln is also fixed in 2.0.4 - maintainer please provide an updated ebuild. could someone please add "CVE-2008-01-28" to the summary, i dont have the needed permissions
Comment 2 Lars Hartmann 2008-02-06 09:23:30 UTC
there is another CVE: CVE-2008-0467 this one is only fixed in 2.1RC1, maintainers - please advice (could someone also add that CVE-Name to the summary?)
Comment 3 William L. Thomson Jr. (RETIRED) 2008-02-06 15:51:21 UTC
Need to update to 2.0.4 for this one, 2.1.x is ok http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0387 This needs 2.0.4 and 2.1RC1 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0467 2.0.4 isn't even on the horizon. Same with 1.5.6, but we have no 1.5.x in tree., So not sure what to say about 2.0.4. I will see about bumping 2.1.x to 2.1RC1 ASAP. Likely later today or tomorrow. But that's a pre-release version so really is kinda moot. Shouldn't be used in production, won't go stable, etc. I don't think we should mask Firebird at this time. But really have no way to address 2.0.3.x short of a backport/patch.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) 2008-02-10 14:33:43 UTC
Willaim any news on this one?
Comment 5 Robert Buchholz (RETIRED) 2008-02-11 23:43:04 UTC
The patches are linked within the Firebird bug report (see URL) and they should apply cleanly to 2.0.3. Please patch.
Comment 6 William L. Thomson Jr. (RETIRED) 2008-02-13 18:59:49 UTC
Commited 2.1.0 rc1, which is not subject to this vulnerability. Removed past 2.1.0 version that was vulnerable. Still have to make patch for 2.0.3, and will do so ASAP. Couldn't find a unified on from bug link, so will have to fetch files/patches and create my own unified one.
Comment 7 Robert Buchholz (RETIRED) 2008-02-13 19:11:50 UTC
I admit it's a little hidden. On these overview pages: http://tracker.firebirdsql.org/browse/CORE-1681?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel http://tracker.firebirdsql.org/browse/CORE-1603?page=com.atlassian.jira.plugin.system.issuetabpanels:cvs-tabpanel You find every changed file. Either use the CVS revisions to extract a patch, or click "(+X -Y lines)" and the link named "Patch" at the top. This will give you one unified diff. Merging those into one patch should work too.
Comment 8 William L. Thomson Jr. (RETIRED) 2008-02-13 21:59:31 UTC
Will get to this before end of my day, sometime in the next 8 hours or so. Thanks for the pointers on fetching the patches/diffs.
Comment 9 William L. Thomson Jr. (RETIRED) 2008-02-18 02:13:56 UTC
Working on this. Made two patches, the one for CVE-2008-0387 is good to go. The one for CVE-2008-0467 makes compile fail. So working on that atm. Might commit the one then the other worse case. Sorry for the delay been busy.
Comment 10 William L. Thomson Jr. (RETIRED) 2008-02-18 21:50:18 UTC
Created attachment 143904 [details, diff] firebird-184.108.40.20681.0 CVE-2008-0467 patch Here is the patch for CVE-2008-0467. Need some help with this one. It applies fine, but makes compile fail :( make: Entering directory `/tmp/portage/dev-db/firebird-220.127.116.1181.0-r5/work/Firebird-18.104.22.16881-0/gen' x86_64-pc-linux-gnu-g++ -O2 -msse -msse2 -msse3 -march=k8 -mtune=k8 -minline-all-stringops -O2 -msse -msse2 -msse3 -march=k8 -mtune=k8 -minline-all-stringops -I../src/include/gen -I../src/include -I../src/vulcan -DNAMESPACE=Vulcan -ggdb -O3 -fno-omit-frame-pointer -DNDEBUG -DLINUX -DAMD64 -pipe -MMD -fPIC -fmessage-length=0 -DPROD_BUILD -O2 -msse -msse2 -msse3 -march=k8 -mtune=k8 -minline-all-stringops -I../src/include/gen -I../src/include -I../src/vulcan -DNAMESPACE=Vulcan -ggdb -O3 -fno-omit-frame-pointer -DNDEBUG -DLINUX -DAMD64 -pipe -MMD -fPIC -fmessage-length=0 -DPROD_BUILD -DSUPERSERVER -pthread -I../src/include/gen -I../src/include -I../src/vulcan -DNAMESPACE=Vulcan -ggdb -O3 -fno-omit-frame-pointer -DNDEBUG -DLINUX -DAMD64 -pipe -MMD -fPIC -fmessage-length=0 -DPROD_BUILD -c ../src/remote/inet_server.cpp -o ../temp/superserver/remote/inet_server.o In file included from ../src/include/../jrd/gdsassert.h:24, from ../src/include/../common/classes/tree.h:34, from ../src/include/../common/classes/alloc.h:45, from ../src/remote/../jrd/../common/classes/fb_string.h:39, from ../src/remote/../jrd/isc_proto.h:28, from ../src/remote/inet_server.cpp:40: ../src/include/../jrd/../jrd/gds_proto.h:37: warning: large integer implicitly truncated to unsigned type ../src/remote/inet_server.cpp:566: error: 'SignalSafeSemaphore' in namespace 'Firebird' does not name a type ../src/remote/inet_server.cpp: In function 'void* shutdown_thread(void*)': ../src/remote/inet_server.cpp:583: error: 'shutSem' was not declared in this scope ../src/remote/inet_server.cpp: In function 'void signal_term(int)': ../src/remote/inet_server.cpp:621: error: 'shutSem' was not declared in this scope ../src/remote/inet_server.cpp: In function 'void shutdown_fini()': ../src/remote/inet_server.cpp:650: error: 'shutSem' was not declared in this scope make: *** [../temp/superserver/remote/inet_server.o] Error 1 make: Leaving directory `/tmp/portage/dev-db/firebird-22.214.171.12481.0-r5/work/Firebird-126.96.36.19981-0/gen' make: *** [fbserver] Error 2 make: Leaving directory `/tmp/portage/dev-db/firebird-188.8.131.5281.0-r5/work/Firebird-184.108.40.20681-0/gen' make: *** [firebird] Error 2 If someone can help out with the patch. And/or inform me of what I did wrong. Or need to do to fix. Would help out allot. Kinda stuck on this atm. Thanks Just drop the file in firebird/files and add a line above the other patches in a 2.0.3 ebuild. Re-digest and emerge. Will allocate some more time to it tomorrow if no one beats me to it :)
Comment 11 William L. Thomson Jr. (RETIRED) 2008-02-19 16:15:39 UTC
Ok went upstream for help on this. Damyan Ivanov <firstname.lastname@example.org> was kind enough to provide the patch they are using on Debian. I just tested that it applied and compiled filed. I just committed it to tree along with patch for CVE-2008-0387. So we should be good to go now :) Although the Debian patch is a little smaller than mine. So not sure what's up with that. (There is a patch for a file for windows or etc in mine, but not sure that accounts for size diff ) I did also find out from upstream about the compile error "SignalSafeSemaphore is surely from another fix - it was needed when porting to Solaris, Darwin or may be something else that does not support timeouts in posix semaphores. Rename it bak to Semaphore and compile error will be gone." So I might try that with my patch and swap out patches. Maybe going to ask about the differences with upstream. But either way is address. I guess we can look to stabilize this one. Or wait a day or so to see if I change out patches. Just wanted to get a fix in tree sooner than later. Since I was already slacking on this.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) 2008-02-20 08:34:41 UTC
Thx William. Could you clarify which versions are targets for stable?
Comment 13 William L. Thomson Jr. (RETIRED) 2008-02-20 19:46:18 UTC
firebird-220.127.116.1181.0-r5 is patched, also doesn't used hard coded cflags like -r4. Main differences between that version and current stable. Haven't had a chance to diff patches yet, but if I do that will be -r6 and will comment accordingly. Will see about looking into that now.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) 2008-02-21 07:38:10 UTC
Thx. Arches please test and mark stable. Target keywords are: firebird-18.104.22.16881.0-r5.ebuild:KEYWORDS="amd64 -ia64 x86"
Comment 15 Christian Faulhammer (RETIRED) 2008-02-21 08:21:18 UTC
Comment 16 Steve Dibb (RETIRED) 2008-02-25 15:49:50 UTC
I fixed the multilib issues best I could on the one ebuild, amd64 stable
Comment 17 Peter Volkov (RETIRED) 2008-02-25 17:52:04 UTC
Fixed in release snapshot.
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) 2008-02-25 20:05:43 UTC
Comment 19 Robert Buchholz (RETIRED) 2008-03-03 00:11:30 UTC