[pkg-firebird-general] Bug#432753: Bug#432753: CVE-2006-7211 to 7214 : unfixed in firebird1.5
Damyan Ivanov
dam at modsoftsys.com
Mon Aug 20 10:29:03 UTC 2007
clone 432753 -1 -2
retitle -2 firebird1.x is not supported by upstream any more
severity -2 serious
thanks
-=| Stefan Fritsch, 11.07.2007 22:13 |=-
> These issues are reported to be fixed in 2.0, but I can't find any references in
> the changelogs that they are fixed in 1.5:
>
>
> CVE-2006-7214
>
> Multiple unspecified vulnerabilities in Firebird 1.5 allow remote attackers to
> (1) cause a denial of service (application crash) by sending many remote
> protocol versions; and (2) cause a denial of service (connection drop) via
> certain network traffic, as demonstrated by Nessus vulnerability scanning.
>
> CVE-2006-7213
>
> Firebird 1.5 allows remote authenticated users without SYSDBA and owner
> permissions to overwrite a database by creating a database.
>
> CVE-2006-7212
>
> Multiple buffer overflows in Firebird 1.5, one of which affects WNET, have
> unknown impact and attack vectors. NOTE: this issue might overlap CVE-2006-1240.
>
> CVE-2006-7211
>
> fb_lock_mgr in Firebird 1.5 uses weak permissions (0666) for the semaphore
> array, which allows local users to cause a denial of service (blocked query
> processing) by locking semaphores.
Here's the current status:
The first three affect all versions of the package
(sarge-etch-lenny-sid). Note that in lenny/sid the package is renamed to
firebird1.5, sarge and etch use firebird2 name.
CVE-2006-7211 was patched locally so debian packages are not vulnerable
in all suites.
CVE-2006-7214 and CVE-2006-7212 cannot be easily fixed. The upstream
release (2.0.x) that fixes these is a major rework and back-porting
means adopting the new release (quoting upstream, my impression too).
This is practically impossible for (old)stable. Even if we want to apply
the iceweasel approach, the new upstream release requires migration of
the databases so this is infeasible for stable/oldstable.
CVE-2006-7213 can be fixed by the patch based on that change
http://firebird.cvs.sourceforge.net/firebird/firebird2/src/jrd/jrd.cpp?r1=1.206&r2=1.207
I've consulted with upstream and decided to schedule firebird1.5 for
removal from unstable/testing because it is no longer supported by them.
I guess removing firebird2 from stable/oldstable is not an option? :/
I can prepare packages that fix CVE-2006-7213 for etch and sarge.
-7212 and -7214 can't be fixed, though. What do we do?
--
dam JabberID: dam at jabber.minus273.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-firebird-general/attachments/20070820/01d829f7/attachment.pgp
More information about the pkg-firebird-general
mailing list