[pkg-firebird-general] Bug#693210: Bug#693210: server crash on prearing an empty query with tracing enabled
Salvatore Bonaccorso
carnil at debian.org
Sun Mar 10 09:38:24 UTC 2013
Hi Damyan
On Sun, Mar 10, 2013 at 11:17:35AM +0200, Damyan Ivanov wrote:
> -=| Moritz Muehlenhoff, 04.03.2013 18:59:53 +0100 |=-
> > On Sun, Jan 20, 2013 at 11:40:54PM +0900, Hideki Yamane wrote:
> > > On Wed, 14 Nov 2012 23:14:51 +0200
> > > Damyan Ivanov <dmn at debian.org> wrote:
> > > > > Forwarded: http://tracker.firebirdsql.org/browse/CORE-3884
> > > > >
> > > > > With trace enabled, preparing an empty query crashes the server on line 91 of
> > > > > /src/jrd/trace/TraceDSQLHelpers.h, since the dereferenced m_request variable is
> > > > > NULL.
> > > > >
> > > > > Tagged as 'security' since this is a remote crash, although it requires a valid
> > > > > user/pass.
> > > >
> > > > This issue has assigned CVE-2012-5529.
> > >
> > > Probably you know, it was fixed in upstream svn and they released 2.5.2.
> > > I've attached a patch (build fine with pbuilder), please check and apply it.
> >
> > Firebird maintainers,
> > can you please fix this for Wheezy?
>
> Hm, what about squeeze, which is also affected? Attached is a (source)
> debdiff against the version in squeeze. Should it go via
> stable-security or stable-updates?
I checked the security-tracker about this[1]. It is marked 'no-dsa'
for Squeeze, so I assume this should go trough a
stable-proposed-updates upload.
[1]: https://security-tracker.debian.org/CVE-2012-5529
Thanks for your work on the update!
Salvatore
More information about the pkg-firebird-general
mailing list