CVE-2017-6369: authenticated remote execution in firebird 2.5 before version 2.5.7

Debian Bug report logs - #858641
CVE-2017-6369: authenticated remote execution in firebird 2.5 before version 2.5.7

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <dmn@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2017-6369: authenticated remote execution in firebird 2.5 before version 2.5.7

Date: Fri, 24 Mar 2017 19:14:22 +0000

Package: firebird2.5-classic-common,firebird2.5-super
Version: 2.5.2.26540.ds4
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: http://tracker.firebirdsql.org/browse/CORE-5474

Authenticated Firebird users are allowed to declare UDFs (user-defined 
functions). The default config allows using all entry points from the standard 
UDF library, which is dynamically linked with libc, with its symbols 
re-exported, including system().

Relevant upstream commits for 2.5:
 - https://github.com/FirebirdSQL/firebird/commit/9d9b9e0c94e201da489d1da81f858c570d3ca6ef
 - https://github.com/FirebirdSQL/firebird/commit/a802126cd501f641f00d6cda12d5d9ee3ecda6f5

Message #10 received at 858641-close@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <dmn@debian.org>

To: 858641-close@bugs.debian.org

Subject: Bug#858641: fixed in firebird2.5 2.5.3.26778.ds4-5+deb8u1

Date: Sun, 02 Apr 2017 17:47:10 +0000

Source: firebird2.5
Source-Version: 2.5.3.26778.ds4-5+deb8u1

We believe that the bug you reported is fixed in the latest version of
firebird2.5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 858641@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Damyan Ivanov <dmn@debian.org> (supplier of updated firebird2.5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 25 Mar 2017 10:08:00 +0000
Source: firebird2.5
Binary: firebird2.5-super firebird2.5-classic firebird2.5-superclassic libfbclient2 libfbembed2.5 libib-util firebird2.5-common firebird2.5-server-common firebird2.5-classic-common firebird-dev firebird2.5-examples firebird2.5-doc firebird2.5-common-doc firebird2.5-super-dbg firebird2.5-classic-dbg libfbclient2-dbg
Architecture: source all amd64
Version: 2.5.3.26778.ds4-5+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>
Changed-By: Damyan Ivanov <dmn@debian.org>
Description:
 firebird-dev - Development files for Firebird - an RDBMS based on InterBase 6.0
 firebird2.5-classic - Firebird Classic Server - an RDBMS based on InterBase 6.0 code
 firebird2.5-classic-common - common files for firebird 2.5 "classic" and "superclassic"
 firebird2.5-classic-dbg - collected debug symbols for firebird2.5-classic and -superclassic
 firebird2.5-common - common files for firebird 2.5 servers and clients
 firebird2.5-common-doc - copyright, licensing and changelogs of firebird2.5
 firebird2.5-doc - Documentation files for firebird database version 2.5
 firebird2.5-examples - Examples for Firebird - an RDBMS based on InterBase 6.0 code
 firebird2.5-server-common - common files for firebird 2.5 servers
 firebird2.5-super - Firebird Super Server - an RDBMS based on InterBase 6.0 code
 firebird2.5-super-dbg - collected debug symbols for firebird2.5-super
 firebird2.5-superclassic - Firebird SuperClassic Server - an RDBMS based on InterBase 6.0 co
 libfbclient2 - Firebird client library
 libfbclient2-dbg - collected debug symbols for libfbclient2
 libfbembed2.5 - Firebird embedded client/server library
 libib-util - Firebird UDF support library
Closes: 858641
Changes:
 firebird2.5 (2.5.3.26778.ds4-5+deb8u1) jessie-security; urgency=high
 .
   * Add two commits from upstream fixing authenticated remote code execution
     (CVE-2017-6369 / CORE-5474)
     (Closes: #858641)
Checksums-Sha1:
 b190b564ffa0f8b544afe4e08b637cbb55d8eba4 3313 firebird2.5_2.5.3.26778.ds4-5+deb8u1.dsc
 3051b28c5342b48f19123cec80e132967b2e91f5 3990440 firebird2.5_2.5.3.26778.ds4.orig.tar.xz
 b7a3970cda471a2feebc457558109da317337e8e 114552 firebird2.5_2.5.3.26778.ds4-5+deb8u1.debian.tar.xz
 043660b659089a04f276a5e0fabee62c75248dab 95904 firebird2.5-common_2.5.3.26778.ds4-5+deb8u1_all.deb
 889f8a93901406a75f1ad6bd9b629c79d79c0be4 164992 firebird2.5-examples_2.5.3.26778.ds4-5+deb8u1_all.deb
 e97fd7fc5f873cf4e8ff599bf0c9924b006ae3d0 176528 firebird2.5-doc_2.5.3.26778.ds4-5+deb8u1_all.deb
 a08f1cdcb285bf8599dfded13670d13998cf5019 654480 firebird2.5-common-doc_2.5.3.26778.ds4-5+deb8u1_all.deb
 e98d9fa7f4b18f325cc649ae0f43cae145894693 2160422 firebird2.5-super_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 333b9ea96ad471560fb40044b33fd19e73f3b52c 29518 firebird2.5-classic_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 14971347435a6011091155634cfb9cb55b997e98 183012 firebird2.5-superclassic_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 f306b0ccc201cc0bb4a645f53d0c236e67791564 284760 libfbclient2_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 bca13c49e779c9541bc8707bca01a68c2e6b6ad6 1525440 libfbembed2.5_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 421c9e8b3d4dfabd3f46db23ab463de57da2b3c6 3950 libib-util_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 6da0bb255f0fa8ebb7fbc223d52a3f4691287b90 534678 firebird2.5-server-common_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 810f14d19e1a3586f389d159147ec2507ae0ccf0 825288 firebird2.5-classic-common_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 dcd1ea54ee061fcf8563f1d3e4c996ebcfb78a8a 32166 firebird-dev_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 178772cbcb90445df15bab72e5cb9546f12820fe 27432204 firebird2.5-super-dbg_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 ac67f2339dbffe719305985fe007eb95a6c7fe21 28486742 firebird2.5-classic-dbg_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 4d2ba2cba73e398dc64777b3c2ceac1f85bdff4c 1843710 libfbclient2-dbg_2.5.3.26778.ds4-5+deb8u1_amd64.deb
Checksums-Sha256:
 83a15e54802e87ca3687445dbe0daa9fd915d88c7abe0f0756620f3694863be9 3313 firebird2.5_2.5.3.26778.ds4-5+deb8u1.dsc
 c9dc4154fc8e7bf0733b8e8444d90307a6c236b7e951836729828fd026e4b406 3990440 firebird2.5_2.5.3.26778.ds4.orig.tar.xz
 b25cc1f58b70a3e3cdb94c032b456787760de96f345da94ee957f91b648e69a7 114552 firebird2.5_2.5.3.26778.ds4-5+deb8u1.debian.tar.xz
 5604383d4dd0efc7e8fa0696c5b10eb607d521ef6d6f1f5e8a761ad431beaa54 95904 firebird2.5-common_2.5.3.26778.ds4-5+deb8u1_all.deb
 5a4b23dc84ade3ab0462cdd61d269a6bb59c3592108f1b0347c25a9c6c1e8b81 164992 firebird2.5-examples_2.5.3.26778.ds4-5+deb8u1_all.deb
 3e8b84740bd3f63e8cfe347ddaaa549b7d352216c98871a522582a0dc65d16a3 176528 firebird2.5-doc_2.5.3.26778.ds4-5+deb8u1_all.deb
 c34d3366853baa2ac47eaea88dc9525c68600656348793a54606c412c95b4bcd 654480 firebird2.5-common-doc_2.5.3.26778.ds4-5+deb8u1_all.deb
 fac8e60c8d1a47c82a2697cd38aec844e3498b291121b9e9fa40136d15d57d92 2160422 firebird2.5-super_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 fdf5a84ab10c8c26ce24f9d781e2da0d3a9d9ef7e1069d8fcc38742ff06179f0 29518 firebird2.5-classic_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 cc7a6d2fa5d016f254432cc40ae8e4b2f22b0635879e448ab358d59c13e26002 183012 firebird2.5-superclassic_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 932b83f2f0b994e6f43b4f736ca328ea227921e7d1aa15982000ff84a0f8dbd8 284760 libfbclient2_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 5b99eb880b430cc389e97eead54fbeac22a5af89cfb9189ef000608e6a14b276 1525440 libfbembed2.5_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 0a75b25c2e73633ae112cb015c8afefcc38db6ead57862abfc0f3aff95990a27 3950 libib-util_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 6d964ff982dafd2e6fdd0d83963ed5b34a2dacbcc5f2164cebaaa4ee0d896a98 534678 firebird2.5-server-common_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 febf38351451d2e0cccd60004eb16f01f5fe6f752bfac24b3890f9b3004f7794 825288 firebird2.5-classic-common_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 ffcbf0e5174daf3eb8c173e19f02789d41c48f562f93914aea4c980ff40241f4 32166 firebird-dev_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 28e2518552f99efe17ce6cc3d909f1a0aa3a360bcf944f30fea41ee83806fbb5 27432204 firebird2.5-super-dbg_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 5d51cf9006d3cb42e00f3cea52f5d9bc48197e20147532253b033efe27571664 28486742 firebird2.5-classic-dbg_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 1361eb3f926dc72d026ec19ad067513f865262ead1f3ed45b22cf9b92c9c7e8b 1843710 libfbclient2-dbg_2.5.3.26778.ds4-5+deb8u1_amd64.deb
Files:
 d669326904253b3133761765f7a072f5 3313 database optional firebird2.5_2.5.3.26778.ds4-5+deb8u1.dsc
 b5dc84a969b1476fc77b2d8d56625225 3990440 database optional firebird2.5_2.5.3.26778.ds4.orig.tar.xz
 2e35fc8bd2929aa212ac83be1994d158 114552 database optional firebird2.5_2.5.3.26778.ds4-5+deb8u1.debian.tar.xz
 5b5aec89fec3ef5bd3e3c2bde4f86428 95904 database optional firebird2.5-common_2.5.3.26778.ds4-5+deb8u1_all.deb
 d3a8dfcf5efb6d8b097d3604137df4ab 164992 doc optional firebird2.5-examples_2.5.3.26778.ds4-5+deb8u1_all.deb
 472d7d031e75f06ba03431968c0e8687 176528 doc optional firebird2.5-doc_2.5.3.26778.ds4-5+deb8u1_all.deb
 0d8fb1361f0fe0df31c4286719007e17 654480 doc optional firebird2.5-common-doc_2.5.3.26778.ds4-5+deb8u1_all.deb
 b5213609a46306b703cf69cc8ebcce58 2160422 database optional firebird2.5-super_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 e87e85aaff3e9b5160c0ec05203b63aa 29518 database optional firebird2.5-classic_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 e4982527f90dbcb1570fd2d5016bca3c 183012 database optional firebird2.5-superclassic_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 22107b9dd61ee21be23d0888bbc132c1 284760 libs optional libfbclient2_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 e63465520d01c8fb56d2afae742bc869 1525440 libs optional libfbembed2.5_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 80177b1dca0c863ac13adaa5988c7c39 3950 libs optional libib-util_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 dbf996493cd8fc79a4dc4a3e353b0328 534678 database optional firebird2.5-server-common_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 d05cd62f077bf838ba88f6fa97f807e5 825288 database optional firebird2.5-classic-common_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 4d7282cbabd6b286f7a67e1062d1382d 32166 libdevel optional firebird-dev_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 c84394ff8e71dbe7de41b49d9d25eca0 27432204 debug extra firebird2.5-super-dbg_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 56349ecf975fb86dd591b72c783a5552 28486742 debug extra firebird2.5-classic-dbg_2.5.3.26778.ds4-5+deb8u1_amd64.deb
 fcd39b934611d183cdd249335e170bed 1843710 debug extra libfbclient2-dbg_2.5.3.26778.ds4-5+deb8u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErqDETssFbpNjDZ0z276dTZnSoAQFAljZXFQACgkQ276dTZnS
oAQtGw/+OjujPGVWo4ypiohXPwnVw+nRFqom4VSpmX+Pkkf29gbfYU1F+1yl/0ud
zjXMvph+syA/uy6u4AZkG2MHwTA9eGalgjp8mxN8UxdwaKEXfoKyorRXk8SyNzON
v3C6/ZrLrngfa3+WHHt8ukI8qqvLT73pR/jBRFRC4FXLH3mwJdSHp8zt2sQJzeiC
AUqeTzu3FgNLHhHY9mbJoh4QfKMq+FsqhPiZxDO+jbEOdIJHlBPivrdbqWif4zid
uVSE9YXgB9GFN5Ef6RIqwgkVToRc9ibN5rIA58e521xbRi3J8bgCnqZFwYq339KA
P1ivK8IPUi9OTnokpfga9S4fTpJ2/CepIrJEUYbNi1FQ9IFrDW2g3Y95/jvEPnn3
IxMFC6VB+JwUeshUxZ/Iw1eyeiWjn3snxffmP2e27F9XtAdMN3ToIcPNEgc8XtVP
a6jTDyXiJemxm6gVYx5ZK/myGK2Ptql5WVg1pnk2aOJrS2JigpslF/YXCDSSHBEc
+Ac97ccxOTZKJq2nISMmdRCSG4bWJtmKW4jSEy3qFC5OVICNConC8m0S4URKq20Q
z1W97W+BvwMFKSWayyJVmApBuMWkAB3JMHSks20t+gm5DYiKq2yWiY6kv7pTpzJe
o83BtxBEPRpvjWKccuBSqPHC6mLwGh9KvXjcOagUoQDF0oNhYuY=
=1oMs
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.