Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 190833 - dev-db/firebird < 2.0.2 Multiple Vulnerabilities (CVE-2007-{466[456789],5246})
Summary: dev-db/firebird < 2.0.2 Multiple Vulnerabilities (CVE-2007-{466[456789],5246})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL: http://secunia.com/advisories/26615/
Whiteboard: B3 [noglsa]
Keywords:
: 192274 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-08-31 00:18 UTC by Matt Fleming (RETIRED)
Modified: 2007-10-07 11:18 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Fleming (RETIRED) gentoo-dev 2007-08-31 00:18:15 UTC
Some vulnerabilities have been reported in Firebird, where some have unknown impact and others can be exploited by malicious users to cause a DoS (Denial of Service).

1) An error exists in the processing of event registration requests. This can potentially be exploited by a client application connected via XNET to crash the Firebird server by registering several events in parallel.

2) An error exists in the processing of network packets. This can potentially be exploited to increase the CPU load to a high value and consume large amounts of memory by sending large network packets containing garbage data.

3) An unspecified error exists in the processing of Service API calls. This can be exploited to cause a DoS on the affected Firebird server.

4) An unspecified vulnerability with unknown impact exists in the processing of "attach database" and "create database" commands when the passed filename is larger than "MAX_PATH_LEN".

The vulnerabilities are reported in versions prior to 2.0.2.
Comment 1 Matt Fleming (RETIRED) gentoo-dev 2007-08-31 00:20:03 UTC
Cc'ing maintainers and setting whiteboard status.
Comment 2 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-08-31 01:34:11 UTC
Wasn't even aware of release. I will see about bumping asap. I was in the process of moving to opt. Guess I will pause on that for now.
Comment 3 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-08-31 04:23:25 UTC
Ok, I have bumped the ebuild and it compiled and seems to be good to go. If others can test, and if no problems we can look to rush stabilize.
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-08 21:42:37 UTC
arches, please stabilise dev-db/firebird-2.0.2.12964.0
Comment 5 Markus Meier gentoo-dev 2007-09-09 13:31:42 UTC
x86 stable
Comment 6 Jakub Moc (RETIRED) gentoo-dev 2007-09-12 09:24:59 UTC
*** Bug 192274 has been marked as a duplicate of this bug. ***
Comment 7 Jakub Moc (RETIRED) gentoo-dev 2007-09-12 09:26:38 UTC
Firebird 2.0.2 is Recalled
The Firebird 2.0.2 release has been recalled due to a significant regression that has shown up (Tracker Issue CORE-1434). Our sincere apologies for the inconvenience. A release candidate for v.2.0.3 will follow shortly.

http://tracker.firebirdsql.org/browse/CORE-1434

(2.0.3_rc1 is out, BTW).
Comment 8 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-09-12 19:59:00 UTC
(In reply to comment #7)
> Firebird 2.0.2 is Recalled

Yeah not sure what's going on with apps I love and have never had issues with. ASSP and Firebird :(

> (2.0.3_rc1 is out, BTW).

Not really. It's a pre-release, and I can't download sources. :(

http://www.firebirdsql.org/index.php?op=files&id=fb203_rc1

404


Comment 9 Jakub Moc (RETIRED) gentoo-dev 2007-09-13 08:45:48 UTC
(In reply to comment #8)
> Not really. It's a pre-release, and I can't download sources. :(
> 
> http://www.firebirdsql.org/index.php?op=files&id=fb203_rc1

Works fine here.
Comment 10 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-09-13 13:53:27 UTC
(In reply to comment #9)
>
> Works fine here.

So you can download sources?

http://www.firebirdsql.org/download/prerelease/Firebird-2.0.3.12981-0.tar.bz2

404
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2007-09-13 14:09:08 UTC
(In reply to comment #10)
> So you can download sources?
> http://www.firebirdsql.org/download/prerelease/Firebird-2.0.3.12981-0.tar.bz2
> 404

The link is wrong, but this works:
http://www.firebirdsql.org/download/prerelease/source/Firebird-2.0.3.12981-0.tar.bz2

Comment 12 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-09-13 14:40:21 UTC
ok, thanks, a URL is what I needed for ebuild :)
Comment 13 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-09-13 22:14:03 UTC
Ok pre-release committed to tree. I didn't tag it as such atm. Should be moot since if upstream does another 2.0.3 release, the build number will have gone up :)
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2007-09-14 00:35:02 UTC
Thanks William. Arches, please test and stabilize dev-db/firebird-2.0.3.12981.0.
Target keywords: "amd64 x86"
Comment 15 Markus Meier gentoo-dev 2007-09-15 14:47:47 UTC
x86 stable
Comment 16 Christoph Mende (RETIRED) gentoo-dev 2007-09-16 14:17:21 UTC
amd64 stable
Comment 17 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-16 16:52:58 UTC
If severity level stays that way, glsa voting is now open.
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2007-09-23 17:18:37 UTC
In case of a GLSA, there's also CVE-2007-4669 not covered by the Secunia advisory. You might want to review it, too.
Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-09-24 16:30:30 UTC
I tend to vote NO.
Comment 20 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-25 09:38:58 UTC
I tend to vote NO too, though the 4th "unspecified issue" with the MAX_PATH_LEN might imply code execution :/
Comment 21 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-10-02 21:30:18 UTC
I usually vote noglsa for unspecified vulnerabilities with unknown impact. Plus, the DoS vulnerabilities by opening several connections or sending large packets could happen all the time.

Perhaps, there is CVE-2007-4669, but i don't know if the logfile would provide much sensible information.

I vote no, and closing. Feel free to reopen if you disagree.
Comment 22 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-10-02 21:43:31 UTC
Just as further info, unless a user is doing something abnormal with logging sensitive stuff to the log file. Having access to it's contents is quite moot IMHO. It hardly reveals much if anything. Other than maybe if someone were beating on a db server trying to take it down. While viewing logs at the same time to see any signs of distress.