[pkg-firebird-general] Bug#357580: firebird2-*-server: remotelly crashable

Damyan Ivanov divanov at creditreform.bg
Sat Mar 18 09:50:57 UTC 2006 

Package: firebird2-super-server,firebird2-classic-server
Version: 1.5.3.4870-2
Severity: critical
Tags: security help
Justification: root security hole

As noted in [1], fbserver (the daemon listening for TCP, found in
firebird2-super-server, source package firebird2) crashes if given too
long database name. The crash occurs *before* authentication and thus
does not require knowledge of a valid database user/password.

[1]
https://sourceforge.net/tracker/?func=detail&atid=109028&aid=1282031&group_id=9028

securityfocus' advisory[2] claims version 1.5 is not vulnerable, but
I've just reproduced the crash using 1.5.2-10 that is in Debian/sarge
and etch. Upstream claimed[1] that this is fixed in 1.5.3, but I can
still reproduce it with 1.5.3.4870-2 from yesterday, which was supposed
to fix other (local) buffer overflows (see #357173).

[2] http://www.securityfocus.com/bid/10446/discuss

=== How to reproduce ===

$ gsec -database localhost:`perl -e'print ("A"x300)'` \
  -user doesnt -passwd matter
invalid switch specified
error in switch specifications
Unable to complete network request to host "localhost".
Error reading data from the connection.
unable to open database

"Unable to complete network request" usually means that the server has
crashed. And indeed, looking at /var/log/firebird.log gives:

amd64 (Client)  Sat Mar 18 10:52:19 2006
 /usr/lib/firebird2/bin/fbguard: bin/fbserver terminated abnormally (-1)

So the server has crashed.

============

Same happens with firebird2-classic-server, only there is nothing in
firebird.log

I am yet to verify the pristine upstream builds (without debian patches)
and report it to upstream. Any help for these tasks from people knowing
firebird (preferably subscribed to firebird-devel) is warmly
appretiated.


---
dam


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.13+reiser4+dam.1
Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8)

Versions of packages firebird2-super-server depends on:
ii  adduser                     3.85         Add and remove users and groups
ii  firebird2-server-common     1.5.3.4870-2 Common files for Firebird - an RDB
ii  libc6                       2.3.6-3      GNU C Library: Shared libraries an
ii  libfbclient1                1.5.3.4870-2 Firebird client library
ii  libgcc1                     1:4.0.3-1    GCC support library
ii  libncurses5                 5.5-1        Shared libraries for terminal hand
ii  libstdc++6                  4.0.3-1      The GNU Standard C++ Library v3

firebird2-super-server recommends no packages.

More information about the pkg-firebird-general mailing list