[pkg-firebird-general] Bug#858641: CVE-2017-6369: authenticated remote execution in firebird 2.5 before version 2.5.7

Damyan Ivanov dmn at debian.org
Fri Mar 24 19:14:22 UTC 2017


Package: firebird2.5-classic-common,firebird2.5-super
Version: 2.5.2.26540.ds4
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: http://tracker.firebirdsql.org/browse/CORE-5474

Authenticated Firebird users are allowed to declare UDFs (user-defined 
functions). The default config allows using all entry points from the standard 
UDF library, which is dynamically linked with libc, with its symbols 
re-exported, including system().

Relevant upstream commits for 2.5:
 - https://github.com/FirebirdSQL/firebird/commit/9d9b9e0c94e201da489d1da81f858c570d3ca6ef
 - https://github.com/FirebirdSQL/firebird/commit/a802126cd501f641f00d6cda12d5d9ee3ecda6f5



More information about the pkg-firebird-general mailing list