Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 181811 - dev-db/firebird < 2.0.1 request handling buffer overflow (CVE-2007-3181)
Summary: dev-db/firebird < 2.0.1 request handling buffer overflow (CVE-2007-3181)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/25601/
Whiteboard: B1 [glsa] p-y
Keywords:
Depends on: 168077
Blocks:
  Show dependency tree
 
Reported: 2007-06-12 18:42 UTC by Pierre-Yves Rofes (RETIRED)
Modified: 2007-07-01 22:04 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
firebird-2.0.1 build log (build.log,328.65 KB, text/plain)
2007-06-23 18:58 UTC, Christoph Mende (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-12 18:42:11 UTC
Cody Pierce has reported a vulnerability in Firebird, which can be
exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error within the handling of
"connect" requests (0x1) with a large "p_cnct_count" value. This can
be exploited to cause a buffer overflow by sending a specially
crafted connect request to a vulnerable server (default port
3050/TCP).

The vulnerability is reported in Firebird 2. Other versions may also
be affected.

SOLUTION:
Update to version 2.0.1.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-12 18:44:32 UTC
setting status and cc'ing maintainers. I see that there is a 2.0.1 in the tree, is it ok for going stable?
Comment 2 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-06-12 19:11:07 UTC
I have not switched to 2.0.1 on my production systems yet. Mainly due to a character set issue. Another user helped out with that, and I committed the changes last night. Really just needs testing.

That and I need to modify the pkg_config or etc stuff to deal with backing up and restoring the security.gdb -> security2.gdb. Which the meta has to be updated modified first. A sql script is provided. I just need to modify that to call it before it backs up and restores. Or in that process.

Beyond that, testing, baring any bugs should be good to go for stabilization.
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2007-06-13 19:06:56 UTC
William, I'm not sure wether that was a yes or no :) 
Are these changes essential for successful user upgrades or should we just go ahead and test the current version? The issue looks pretty serious.
Comment 4 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-06-13 19:17:04 UTC
If you want a clear yes or no, it would likely be no for now. One way around that is to get rid of pkg_config, and leave backing/restoring/migrating the security.fdb -> security2.fdb entirely to the user.

So it's kinda up to personal preference as to what is essential for a user. However upstream pushes everyone toward 2.0.x anyway. I myself have no problems with going ahead, testing and stabilizing 2.0.x.

I believe their could be a problem with the user created log file symlink or etc. That is also done in pkg_config, in past ebuilds. In 2.0.1 I moved that to src_install so firebird can start upon install out of the box. Just need to remove that from 2.0.1's pkg_config.

Other than those two things, which depending on the person can be moot or major. We should be good to go for stabilizing and testing.

So with that, let's go ahead and look to test and stabilize per the security issue. I will address what ever I need to during that process. If and when those issues or others surface.

Began with a NO, ending with a YES. Confused yet :)
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2007-06-13 19:20:47 UTC
YES. Please make sure that there proper upgrade instructions/warnings :)

Arches please test and mark firebird-2.0.1.12855.0-r3 stable.

Comment 6 Markus Meier gentoo-dev 2007-06-13 21:14:23 UTC
dev-db/firebird-2.0.1.12855.0-r3  USE="doc examples -debug -xinetd"
1. emerges on x86, I am not shure if this is a problem:
>>> Install firebird-2.0.1.12855.0-r3 into /var/tmp/portage/dev-db/firebird-2.0.1.12855.0-r3/image/ category dev-db
install: omitting directory `examples/api'
bzip2: Can't open input file /var/tmp/portage/dev-db/firebird-2.0.1.12855.0-r3/image/usr/share/doc/firebird-2.0.1.12855.0-r3/examples/api: No such file or directory.
...

2. passes collision test
3. dev-db/flamerobin-0.7.6 emerges with it
4. seems to work


Portage 2.1.2.7 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.5-r3, 2.6.20.14 i686)
=================================================================
System uname: 2.6.20.14 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Wed, 13 Jun 2007 19:30:01 +0000
dev-java/java-config: 1.3.7, 2.0.32
dev-lang/python:     2.3.5-r3, 2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa apache2 asf avahi berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss encode evo fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde kdeenablefinal kerberos ldap libg++ mad midi mikmod mmx mono mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp oss pam pcre pdf perl png pppd python qt3 qt3support qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads tiff truetype truetype-fonts type1-fonts unicode vcd vorbis wifi win32codecs wxwindows x264 x86 xine xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de en_GB de_CH" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 7 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-06-14 04:31:32 UTC
I am losing my mind. I forgot to commit a fix for character sets the other day. Please test and stabilize -r4. I do have one other change I need to make to pkg_config, wrt to security.fdb -> security2.fdb. Will try to address that tomorrow/today. It's getting a bit late now.
Comment 8 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-06-14 04:45:02 UTC
There is some minor QT stuff that needs addressing before we stabilize. That will cause stable packages to break. Not sure if those QT packages will need to go stable. If we have a fix in ~arch that's good enough for now, and QT can be stabilized on it's own time frame. Up to you all there. Added bug as a dependency of this one. It will cause qt to fail when firebird use flag is set on 64bit systems. But that can also be address with a use flag mask or etc in lieu of a rush qt stabilization.
Comment 9 Ferris McCormick (RETIRED) gentoo-dev 2007-06-14 12:59:12 UTC
No for sparc:  After adding the required libedit package, the firebird build fails with a bus error, thus.
==========================================
make[3]: Leaving directory `/var/tmp/portage/dev-db/firebird-2.0.1.12855.0-r4/work/Firebird-2.0.1.12855-0/gen'
make -f ../gen/Makefile.refDatabases empty_db
make[3]: Entering directory `/var/tmp/portage/dev-db/firebird-2.0.1.12855.0-r4/work/Firebird-2.0.1.12855-0/gen'
make -f ../gen/Makefile.embed.util ../gen/firebird/bin/create_db
make[4]: Entering directory `/var/tmp/portage/dev-db/firebird-2.0.1.12855.0-r4/work/Firebird-2.0.1.12855-0/gen'
make[4]: `../gen/firebird/bin/create_db' is up to date.
make[4]: Leaving directory `/var/tmp/portage/dev-db/firebird-2.0.1.12855.0-r4/work/Firebird-2.0.1.12855-0/gen'
rm -f empty.fdb
../gen/firebird/bin/create_db empty.fdb
make[3]: *** [empty.fdb] Bus error
make[3]: *** Deleting file `empty.fdb'
make[3]: Leaving directory `/var/tmp/portage/dev-db/firebird-2.0.1.12855.0-r4/work/Firebird-2.0.1.12855-0/gen'
make[2]: *** [empty_db] Error 2
make[2]: Leaving directory `/var/tmp/portage/dev-db/firebird-2.0.1.12855.0-r4/work/Firebird-2.0.1.12855-0/gen'
make[1]: *** [../gen/firebird/security2.fdb] Error 2
make[1]: Leaving directory `/var/tmp/portage/dev-db/firebird-2.0.1.12855.0-r4/work/Firebird-2.0.1.12855-0/gen'
make: *** [firebird] Error 2
===================================
On sparc, this means create_db tried to use a misaligned pointer.  Typically, this is because of an impermissible widening of a (char*) to something else.

I'm removing sparc from the CC and adding myself.  Ask again when the pointer reference is fixed.
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2007-06-14 13:00:33 UTC
Might i add that firebird is generally USE.masked...
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2007-06-14 15:25:43 UTC
Back to ebuild to get a fix for sparc. Otherwise we'll have to mask it on sparc.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-20 17:56:40 UTC
what do we do? it's a quite serious issue... should we mask it on sparc? sparc/maintainers please advise. 
Comment 13 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-06-20 18:22:31 UTC
I lack C/C++ skills to help or resolve myself. Not to mention no access to said arch. So not much I can do.
Comment 14 Gustavo Zacarias (RETIRED) gentoo-dev 2007-06-20 18:24:52 UTC
It's already USE.masked mainstream it seems, so just dropping keywords from the package should suffice (double-check to avoid broken deps though).
Comment 15 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-06-20 18:30:52 UTC
Ok will do. Tied up with other things atm, but will do it before I pass out sometime later tonight, EDT :)
Comment 16 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-06-21 05:42:54 UTC
Ok I have dropped firebird 1.5.x down to -sparc. So we should be good to go now to stabilize firebird on amd64 and x86.

There are still some Debian patches I would like to introduce. And some other refinements. I would likely consider all that enhancements. But we will find out as we stabilize. I am sure if there are problems users or testers will let us know. I will respond to any bugs that come up after stabilization ASAP.

Still need to make a change in pkg_config wrt to backing up/restoring security.fdb -> security2.fdb.  Rest of pkg_config should be fine. Although I am pretty sure no one is using that. Since aspects have been broken or outdated for some time. 
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2007-06-23 18:02:39 UTC
amd64 and x86 please test and mark stable.
Comment 18 Christoph Mende (RETIRED) gentoo-dev 2007-06-23 18:58:49 UTC
Created attachment 122909 [details]
firebird-2.0.1 build log

fails to compile on amd64 here
Comment 19 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-06-23 19:11:10 UTC
Is that on a live system or in a chroot? This looks mighty odd?

rm -f empty.fdb
../gen/firebird/bin/create_db empty.fdb
Unable to complete network request to host "2".
-Failed to establish a connection.
-Invalid argument
make[3]: *** [empty.fdb] Error 254

That looks to be where the error is coming from. Not really a compiling error, but one that is happening during the building/compiling of Firebird. Never seen that before. Let me see if I can replicate on my production amd64 firebird server. I had planned up upgrading that tomorrow. Not sure if I can squeeze it in today.
Comment 20 Christoph Mende (RETIRED) gentoo-dev 2007-06-23 19:48:54 UTC
that was inside a chroot, it compiles fine outside of it - both systems differ pretty much though
Comment 21 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-06-23 19:56:37 UTC
Yeah that was failure to make a network request to the engine. I would assume more chroot specific than diff envs.
Comment 22 Jakub Moc (RETIRED) gentoo-dev 2007-06-24 10:53:45 UTC
  21 Jun 2007; William L. Thomson Jr. <wltjr@gentoo.org>
  firebird-1.5.4-r2.ebuild, firebird-1.5.4-r3.ebuild:
  Dropped sparc keyword down to -sparc per bug #181811

You need to drop sparc keywords from dev-python/kinterbasdb as well, it depends on firebird.
Comment 23 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-06-24 17:23:39 UTC
(In reply to comment #22)
> 
> You need to drop sparc keywords from dev-python/kinterbasdb as well, it depends
> on firebird.
> 

Done, thanks sorry I missed that. Also that package might have a dead upstream?
http://kinterbasdb.sourceforge.net/

Seems no version was stabilized. If upstream continues to be stagnant, might be a candidate for last rights. To at least gauge user interest or use.
Comment 24 Raúl Porcel (RETIRED) gentoo-dev 2007-06-24 19:08:33 UTC
x86 stable
Comment 25 Christoph Mende (RETIRED) gentoo-dev 2007-06-25 18:53:39 UTC
amd64 done
Comment 26 Gustavo Zacarias (RETIRED) gentoo-dev 2007-06-26 16:02:51 UTC
We're good to go.
Comment 27 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-07-01 22:04:56 UTC
GLSA 200707-01, thanks everybody!