[pkg-firebird-general] Bug#432753: Old 1.5 security issues question
Damyan Ivanov
dam at modsoftsys.com
Tue Aug 14 20:33:07 UTC 2007
Dear Firebird developers,
I've got a bug report for the debian packages for firebrid 1.5 that I
can't handle myself. I would be grateful for some insights.
http://bugs.debian.org/432753
There is some uncertainty about four CVE issues with regard of their
presence in Firebird 1.5.3.
Two of these
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7213
CVE-2006-7213
Firebird 1.5 allows remote authenticated users without SYSDBA and
owner permissions to overwrite a database by creating a database.
and
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7211
CVE-2006-7211
fb_lock_mgr in Firebird 1.5 uses weak permissions (0666) for the
semaphore array, which allows local users to cause a denial of
service (blocked query processing) by locking semaphores.
are unreproducible with Debian packages and thus are not that interesting.
The other two, however are rather unclear as of how to reproduce or
whether they are fixed in 1.5.3 (or 1.5.4) so I'd appreciate your comments:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7214
CVE-2006-7214
Multiple unspecified vulnerabilities in Firebird 1.5 allow remote
attackers to (1) cause a denial of service (application crash) by
sending many remote protocol versions; and (2) cause a denial of
service (connection drop) via certain network traffic, as
demonstrated by Nessus vulnerability scanning.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7212
CVE-2006-7212
Multiple buffer overflows in Firebird 1.5, one of which affects
WNET, have unknown impact and attack vectors. NOTE: this issue might
overlap CVE-2006-1240.
As far as I can tell, the existence of the issues is deduced from
firebird 2.0 release notes, which are not very clear about what exactly
the problem is and how to reproduce it.
Your comments are much appreciated. Please carbon-copy
432753 at bugs.debian.org in your replies.
--
dam JabberID: dam at jabber.minus273.org
More information about the pkg-firebird-general
mailing list