Bug#251458: [Pkg-firebird-general] Re: Bug#251458: firebird: remote vulnerability

[Steve Langasek]

--McpcKDxJRrEJVmOH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Jul 28, 2004 at 01:36:48PM -0400, Grzegorz B. Prokopski wrote:
> On Wed, 2004-07-28 at 11:24, Daniel Urban wrote:

> > > > If this would happen I am not so sure about the usefulness of the
> > > > firebird2 naming.

> > > Maybe we can rename it to firebird later, but I am not sure what=20
> > > reflections a rename will have right now, before sarge release.

> > I'm for renaming firebird2 to firebird.
> > Could we do it now? Greg? Would be a problem with it now?

> Yes, it would be.  But really, there's no point doing that.
> Having it as a separate package gives us more flexibility:

> * we would be able to push old fb into Sarge (i.e. with *big* security
> warning and access allowed only from localhost, etc.) if we didn't
> have fb2 in time (mind you, fb2 debs are NOT in testing yet and they
> haven't had really wide testing as they only just hit unstable).

I'm sorry, but shipping a package with known exploitable security holes
in sarge is not an option.  If no one is able to fix the security
problems in the firebird server package (and I assume no one is, since
this bug has been open so long), then the firebird server package will
have to be removed from sarge -- along with all other binary packages
=66rom the same source, as well as all other binary packages depending on
these packages.

> * we can still have old firebird packages around (i.e. in an unofficial
> repository) and they would NOT be:
>  - mistaken with firebird2 packages
>  - auto-upgraded on standard system upgrade and overriden with 1.5.x
>    version (otherwise you would need to keep them "on hold" which
>    would make the automatic updates from unofficial repository
>    impossible)

> This is a common practice that you add a release number to the package
> name when you want to keep the old version around for users that might
> need it.  Just see the output of 'apt-cache search tk8'.

I don't know that a comparison with a scripting language is the best
one, here.  And the value of helping users keep remotely-exploitable
software on their systems is definitely questionable.

I see from the latest firebird2 upload that the library packages now
provide: libfirebird and libfirebird2.  But the following is not
appropriate in *any* library package:

$ dpkg -c libfirebird2-classic_1.5.0-1_i386.deb |grep /usr/lib/libgds
lrwxrwxrwx root/root         0 2004-07-19 05:27:21 ./usr/lib/libgds.so -> l=
ibfbembed.so.1.5.0
$

I have checked php4-interbase, and confirmed that the soname this file
looks for is "libgds.so".  This means that there is no support
whatsoever for rebuilding software against a new version of libgds,
without breaking other programs that use the old version.  This is a
truly horrid setup, and I would strongly recommend that you rebuild all
of the firebird client packages prior to sarge's release so that they
will have a proper dependency on libfirebird2 and you can drop the
libgds.so symlink.

(BTW, where does the "2" in "libfirebird2" come from?  This is not the
soversion of either of the libraries contained in this package.)

--=20
Steve Langasek
postmodern programmer

--McpcKDxJRrEJVmOH
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBC2mPKN6ufymYLloRAk86AKCZWe5b7lnv/mbThYmicV4fHxCkqQCgv5cb
nSpl/BrP8OPoa6X2K8K9LHs=
=LgKD
-----END PGP SIGNATURE-----

--McpcKDxJRrEJVmOH--