Debian Bug report logs -
#810599
firebird2.5: CVE-2016-1569: authenticated remote crash
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#810599; Package firebird2.5-super,firebird2.5-superclassic.
(Sun, 10 Jan 2016 11:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Damyan Ivanov <dmn@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>.
(Sun, 10 Jan 2016 11:33:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: firebird2.5-super,firebird2.5-superclassic
Version: 2.5.5.26952.ds4-1
Severity: important
Tags: security upstream fixed-upstream
Forwarded: http://tracker.firebirdsql.org/browse/CORE-5068
Firebird 2.5.5 can be crashed remotely by authenticated clients by invoking
gbak via the service manager using invalid command line switch.
Example:
$ gbak -b -se service_mgr -user_all_space srv:db.fdb backup.fbk
gbak:unknown switch "USER_ALL_SPACE"
gbak: ERROR:connection lost to database
gbak:Exiting before completion due to errors
This is harmless for the -classic flavour where the server process serves only
that particular connection, but is at least a DoS for -super and -superclassic
where the crashed process serves multiple connections.
Upstream SVN already contains the fix¹, which I'll be uploading soon.
The issue is introduced in 2.5.5, so previous versions (stable and older)
aren't affected.
-- dam
¹ https://sourceforge.net/p/firebird/code/62783/
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Reply sent
to Damyan Ivanov <dmn@debian.org>:
You have taken responsibility.
(Sun, 10 Jan 2016 15:54:05 GMT) (full text, mbox, link).
Notification sent
to Damyan Ivanov <dmn@debian.org>:
Bug acknowledged by developer.
(Sun, 10 Jan 2016 15:54:05 GMT) (full text, mbox, link).
Message #10 received at 810599-close@bugs.debian.org (full text, mbox, reply):
Source: firebird2.5
Source-Version: 2.5.5.26952.ds4-3
We believe that the bug you reported is fixed in the latest version of
firebird2.5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 810599@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Damyan Ivanov <dmn@debian.org> (supplier of updated firebird2.5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 10 Jan 2016 11:50:21 +0000
Source: firebird2.5
Binary: firebird2.5-super firebird2.5-classic firebird2.5-superclassic libfbclient2 libfbembed2.5 libib-util firebird2.5-common firebird2.5-server-common firebird2.5-classic-common firebird-dev firebird2.5-examples firebird2.5-doc firebird2.5-common-doc firebird2.5-super-dbg firebird2.5-classic-dbg libfbclient2-dbg
Architecture: source
Version: 2.5.5.26952.ds4-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>
Changed-By: Damyan Ivanov <dmn@debian.org>
Closes: 810599
Description:
firebird2.5-classic-common - common files for firebird 2.5 "classic" and "superclassic"
firebird2.5-classic-dbg - collected debug symbols for firebird2.5-classic and -superclassic
firebird2.5-classic - Firebird Classic Server - an RDBMS based on InterBase 6.0 code
firebird2.5-common - common files for firebird 2.5 servers and clients
firebird2.5-common-doc - copyright, licensing and changelogs of firebird2.5
firebird2.5-doc - Documentation files for firebird database version 2.5
firebird2.5-examples - Examples for Firebird - an RDBMS based on InterBase 6.0 code
firebird2.5-server-common - common files for firebird 2.5 servers
firebird2.5-superclassic - Firebird SuperClassic Server - an RDBMS based on InterBase 6.0 co
firebird2.5-super-dbg - collected debug symbols for firebird2.5-super
firebird2.5-super - Firebird Super Server - an RDBMS based on InterBase 6.0 code
firebird-dev - Development files for Firebird - an RDBMS based on InterBase 6.0
libfbclient2-dbg - collected debug symbols for libfbclient2
libfbclient2 - Firebird client library
libfbembed2.5 - Firebird embedded client/server library
libib-util - Firebird UDF support library
Changes:
firebird2.5 (2.5.5.26952.ds4-3) unstable; urgency=medium
.
* fix authenticated remote server segfault (Closes: #810599)
Checksums-Sha1:
79d336c77f6189b1a55a8e2c7c81ee4ec9c82971 3255 firebird2.5_2.5.5.26952.ds4-3.dsc
fd0bc63c7647edf5637c6a917d2d59ee94a74a23 111308 firebird2.5_2.5.5.26952.ds4-3.debian.tar.xz
Checksums-Sha256:
4e4c0cf7d9920d3bb931194de564833358f933c8d9a58106a9bdc3cafea858fb 3255 firebird2.5_2.5.5.26952.ds4-3.dsc
504f3f87003810c940a784ac2e575e6a357c992808b0c39d67906cc7df13097b 111308 firebird2.5_2.5.5.26952.ds4-3.debian.tar.xz
Files:
0ae32ca0f40de7dc2ae383026f577946 3255 database optional firebird2.5_2.5.5.26952.ds4-3.dsc
f8f0aa295701d20ee339f3f51a987204 111308 database optional firebird2.5_2.5.5.26952.ds4-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWkmRgAAoJENu+nU2Z0qAEZa4P+gMcGQcDF9HDnrvHN05MLZJF
Gqkn4y16LGEkNplfZ0s5hYPaFWo3RsSLAN3/RlrYilxlAWiCq6WGw4Jfp8JaH0Aq
9Kd5tH454r0HIQymAxbYvtT9gT06y2JwKmLE6OxplORlSMg2YS+jhW14HwH8A/7L
Zl0EqcTPMvfsfxq0gIp5agoyzewcLdEI5mWKJtTpKfpzxQiCRLWTLdcWoBCGQKKn
NM/F3pdtg99EJANhDoV7Akah4u4wqbAchUbCbOl8RflqZwDnNiRtmh45Jzz5RO4Y
LIKmtcb0Gl4wx0kVLSsGj0pWHOoeGN7ozhcPxzZt7w3PH4oY5lsCf83Mu2VOrOne
tAmnDLx+4t0SNhaaRaLNEh9us7VA6aNxcH+cajLSpuJBGmShNypznVzMo+2/RBuq
kvS4TtZfKNTDsTss94lwGidyznsBCTKmCjSpdls3farNEEpWPP77c6PGmH3qPtS8
7Ac4JY5g0Qdf7MwLVdLydWL9Kuiiv4hzQeOCEJ/fSt3auqLprV4Bq12Xaz6RaNz0
loaEg14iedxpPH0o3yzF6nwRZPycAcdnd54o6K96caYcwlEQcKovwVUud2lKK0ZR
1Laq41h5j82KAeaNxp0kEZ/L+u2yOV25NVaUvyq8SoVc0XkpCadb1kFiuqgu8SUZ
QoKGt41/gprS6Yqz+IjT
=JE5I
-----END PGP SIGNATURE-----
Changed Bug title to 'firebird2.5: CVE-2016-1569: authenticated remote crash' from 'firebird2.5: authenticated remote crash'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 10 Jan 2016 17:51:06 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 08 Feb 2016 07:51:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:25:56 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon