[Pkg-firebird-general] Bug#251458: [Firebird-devel] Patch for vulnerability firebird 1.0.3 ?
Alex Peshkov
Alex Peshkov <pes@insi.yaroslavl.ru>, 251458@bugs.debian.org
Wed, 16 Jun 2004 15:57:52 +0400
Remco Seesink wrote:
>Hello,
>
>I am trying to fix a security bug on firebird 1.0.2 and 1.0.3 on debian. The details of the bug can be found here:
>http://bugs.debian.org/251458
>
>I was wondering if somebody already made a patch for this bug. The current plan is to support both firebird 1.0.3 and 1.5.0 in debian. This is why upgrading to 1.5.0 wouldn't help.
>
>If there is no patch, any pointers to what source files are likely involved?
>
>
Unfortunately, very many.
It was rather big code review during which we tried to fix a great(!)
lot of buffer overflows in firebird sources.
Particular this bug may be fixed relatively easy, but on my mind it has
no sence - there is a great lot of other overflows and some other
security holes (including execution of arbitrary code with root rights)
that were fixed in fb1.5.
It seems unreal to me to backport them all to 1.0, therefore if one
cares about security - use 1.5.
>Cheers,
>Remco Seesink.
>
>
>
>
Alex.