[Pkg-firebird-general] Fw: [Firebird-devel] Patch for vulnerability firebird 1.0.3 ?

[Mark O'Donohue]

Hi Remco

Remco Seesink wrote:
> Hmmm,
> 
> We do care about security and I have a feeling it is not reasonable
> to expect the debian security team to do this and I don't think I
> can do it either.
> 

Im not really aware of the structure of the debian organisation - I 
don't think it would be good to leave to someone else to do either.

> This could mean that firebird 1.0.x would be removed because of unsolved
> security bugs and we might not have firebird 1.5.x ready in time ending
> up with no firebird at all in sarge. Aargh!
> 
> There is a a firebird 1.0.3 package ready to replace the current 1.0.2,
> but that doesn't get us out of this situation:
> http://mentors.debian.net/debian/pool/main/f/
> 
> If we were to abandon firebird 1.0.x would it better to name the new packages
> firebird instead of firebird2 and give some warning on upgrade about making 
> backups first?
> 

It would be nice not to abandon 1.0.X.


Is the following workarround acceptable?

fb1.3 should not be run as root.

A lot can be done to tighten up the security by changing the runtime 
user of the servers to be "firebird:firebird" (this is now the default 
in f1.5).

Also for classic restricting users to be in the group firebird to 
directly access databases and /opt/firebird/* files.

This means a break in the server will not give root access at least.

In f1.0.X running servers as firebird:firebird is optional, as it causes 
a few user permission problems - but it's better than abandoning the 
package.


Some buffer overflows fixes should also be backported (env variables and 
filenames, spring to mind).

But the recommendation would be to use the f1.5 version, and 1.0.X only 
if needed.



Cheers

Mark