[pkg-firebird-general] Bug#693210: Bug#693210: server crash on prearing an empty query with tracing enabled (CVE-2012-5529)

[Damyan Ivanov]

-=| Slávek Banko, 05.03.2013 17:55:51 +0100 |=-
> Dne po 4. března 2013 Moritz Muehlenhoff napsal(a):
> > On Sun, Jan 20, 2013 at 11:40:54PM +0900, Hideki Yamane wrote:
> > > Hi,
> > >
> > > On Wed, 14 Nov 2012 23:14:51 +0200
> > >
> > > Damyan Ivanov <dmn at debian.org> wrote:
> > > > > Forwarded: http://tracker.firebirdsql.org/browse/CORE-3884
> > > > >
> > > > > With trace enabled, preparing an empty query crashes the server
> > > > > on line 91 of /src/jrd/trace/TraceDSQLHelpers.h, since the
> > > > > dereferenced m_request variable is NULL.
> > > > >
> > > > > Tagged as 'security' since this is a remote crash, although it
> > > > > requires a valid user/pass.
> > > >
> > > > This issue has assigned CVE-2012-5529.
> > >
> > >  Probably you know, it was fixed in upstream svn and they released
> > > 2.5.2. I've attached a patch (build fine with pbuilder), please check
> > > and apply it.
> >
> > Firebird maintainers,
> > can you please fix this for Wheezy?
> 
> I can confirm that the patch from 
> http://firebird.svn.sourceforge.net/viewvc?revision=54702&pathrev=54702&view=rev 
> can be cleanly applied to both firebird2.5 from Squeeze, and also to 
> current version from Wheezy (hence also Sid).
> 
> Is at this time of hope that it would be possible to update Wheezy version 
> to final 2.5.2? In this version is mentioned problem already fixed. 
> I think that the package git repository is ready for 2.5.2.

An approval request about this was sent already. Dear release team, 
can you please comment on 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693216 ? Thanks in 
advance.


-- dam
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-firebird-general/attachments/20130306/58d90a13/attachment-0001.pgp>