[pkg-firebird-general] Bug#481389: [Secure-testing-team] Bug#481389: Debian package allows passwordless SYSDBA remote connections
Nico Golde
nion at debian.org
Thu May 15 20:09:41 UTC 2008
Hi Damyan,
* Damyan Ivanov <dmn at debian.org> [2008-05-15 20:32]:
> Package: firebird2.0-super
> Version: 2.0.3.12981.ds1-13
> Severity: grave
> Tags: security
>
> The only reason for this to not be of critical severity is that database
> services are typically firewalled.
>
> This is CVE-2008-1880[1]
>
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1880
>
> The init.d script used by Debian packages exports ISC_PASSWORD into the
> environment before starting fbguard. fbguard itself spawns fbserver
> process without cleaning environment.
>
> fbserver uses ISC_PASSWORD from the environment when remote connection
> does not supply a password. This makes it possible to connect remotely
> as SYSDBA user without giving a password.
>
> That last part is already fixed in upstream CVS HEAD, but backporting
> the change is reported to be non-trivial.
[...]
As far as I can see that firebird is disabled after the
installation and needs to be dpkg-reconfigure'ed which will
ask for a password or set a random one.
Do I miss anything?
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-firebird-general/attachments/20080515/75e294a4/attachment.pgp
More information about the pkg-firebird-general
mailing list