[pkg-firebird-general] Bug#858782: unblock: firebird3.0/3.0.1.32609.ds4-14
Damyan Ivanov
dmn at debian.org
Sun Mar 26 17:40:07 UTC 2017
Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
Please unblock package firebird3.0
Changelog since 3.0.1.32609.ds4-13 (currently in testing):
firebird3.0 (3.0.1.32609.ds4-14) unstable; urgency=high
* Apply commit 56e9a73c168 from upstream B3_0_Release branch
fixing authenticated remote execution vulnerability (CVE-2017-6369,
CORE-5474)
Closes: #858644
Binary and source debdiffs attached.
unblock firebird3.0/3.0.1.32609.ds4-14
-------------- next part --------------
diff -Nru firebird3.0-3.0.1.32609.ds4/debian/changelog firebird3.0-3.0.1.32609.ds4/debian/changelog
--- firebird3.0-3.0.1.32609.ds4/debian/changelog 2017-01-14 17:56:28.000000000 +0200
+++ firebird3.0-3.0.1.32609.ds4/debian/changelog 2017-03-25 18:07:07.000000000 +0200
@@ -1,3 +1,12 @@
+firebird3.0 (3.0.1.32609.ds4-14) unstable; urgency=high
+
+ * Apply commit 56e9a73c168 from upstream B3_0_Release branch
+ fixing authenticated remote execution vulnerability (CVE-2017-6369,
+ CORE-5474)
+ Closes: #858644
+
+ -- Damyan Ivanov <dmn at debian.org> Sat, 25 Mar 2017 16:07:07 +0000
+
firebird3.0 (3.0.1.32609.ds4-13) unstable; urgency=medium
* Add Danish debconf translation by Joe Dalton (Closes: #850854)
diff -Nru firebird3.0-3.0.1.32609.ds4/debian/patches/series firebird3.0-3.0.1.32609.ds4/debian/patches/series
--- firebird3.0-3.0.1.32609.ds4/debian/patches/series 2017-01-14 17:56:28.000000000 +0200
+++ firebird3.0-3.0.1.32609.ds4/debian/patches/series 2017-03-25 17:54:15.000000000 +0200
@@ -1,4 +1,5 @@
upstream/engine-unload-segfault.patch
+upstream/CORE-5474-remote-execution.patch
out/obsolete-syslogd.target.patch
out/honour-buildflags.patch
out/no-copy-from-icu.patch
diff -Nru firebird3.0-3.0.1.32609.ds4/debian/patches/upstream/CORE-5474-remote-execution.patch firebird3.0-3.0.1.32609.ds4/debian/patches/upstream/CORE-5474-remote-execution.patch
--- firebird3.0-3.0.1.32609.ds4/debian/patches/upstream/CORE-5474-remote-execution.patch 1970-01-01 02:00:00.000000000 +0200
+++ firebird3.0-3.0.1.32609.ds4/debian/patches/upstream/CORE-5474-remote-execution.patch 2017-03-25 17:53:40.000000000 +0200
@@ -0,0 +1,81 @@
+56e9a73c16803c3544076edb2d6c4ca25815e541 Backported fix for CORE-5474: 'Restrict UDF' is not effective, because fbudf.so is dynamically linked against libc
+diff --git a/src/common/os/mod_loader.h b/src/common/os/mod_loader.h
+index b27d35630d..b57af4ac9f 100644
+--- a/src/common/os/mod_loader.h
++++ b/src/common/os/mod_loader.h
+@@ -70,23 +70,15 @@ public:
+ /// Destructor
+ virtual ~Module() {}
+
+-#ifdef WIN_NT
+ const Firebird::PathName fileName;
+-#endif
+
+ protected:
+ /// The constructor is protected so normal code can't allocate instances
+ /// of the class, but the class itself is still able to be subclassed.
+-#ifdef WIN_NT
+ Module(MemoryPool& pool, const Firebird::PathName& aFileName)
+ : fileName(pool, aFileName)
+ {
+ }
+-#else
+- Module()
+- {
+- }
+-#endif
+
+ private:
+ /// Copy construction is not supported, hence the copy constructor is private
+diff --git a/src/common/os/posix/mod_loader.cpp b/src/common/os/posix/mod_loader.cpp
+index a03c3065bc..2b42c59a5c 100644
+--- a/src/common/os/posix/mod_loader.cpp
++++ b/src/common/os/posix/mod_loader.cpp
+@@ -27,6 +27,7 @@
+
+ #include "firebird.h"
+ #include "../common/os/mod_loader.h"
++#include "../common/os/path_utils.h"
+ #ifdef HAVE_UNISTD_H
+ #include <unistd.h>
+ #endif
+@@ -39,8 +40,9 @@
+ class DlfcnModule : public ModuleLoader::Module
+ {
+ public:
+- DlfcnModule(void* m)
+- : module(m)
++ DlfcnModule(MemoryPool& pool, const Firebird::PathName& aFileName, void* m)
++ : ModuleLoader::Module(pool, aFileName),
++ module(m)
+ {}
+
+ ~DlfcnModule();
+@@ -104,7 +106,7 @@ ModuleLoader::Module* ModuleLoader::loadModule(const Firebird::PathName& modPath
+ system(command.c_str());
+ #endif
+
+- return FB_NEW_POOL(*getDefaultMemoryPool()) DlfcnModule(module);
++ return FB_NEW_POOL(*getDefaultMemoryPool()) DlfcnModule(*getDefaultMemoryPool(), modPath, module);
+ }
+
+ DlfcnModule::~DlfcnModule()
+@@ -122,6 +124,18 @@ void* DlfcnModule::findSymbol(const Firebird::string& symName)
+
+ result = dlsym(module, newSym.c_str());
+ }
++
++#ifdef HAVE_DLADDR
++ if (!PathUtils::isRelative(fileName))
++ {
++ Dl_info info;
++ if (!dladdr(result, &info))
++ return NULL;
++ if (fileName != info.dli_fname)
++ return NULL;
++ }
++#endif
++
+ return result;
+ }
+
-------------- next part --------------
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in second .changes but not in first
-----------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/0e/1030fbf8dc2030144882fb090405d3f7445a88.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/25/26d884a03a897414ddc119495a8272e0badc4e.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/25/4d0e1c45debc6abdbc915669347a8d5c41d2ee.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/3a/cd69f8972e1784250ad9c7ffbdfa076ec29a8f.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/43/b6efe476c4c5489438c808ceac3b3fc73a4be9.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/51/913a1b8f3d8fc3b95b1133153b3b95e1e802ed.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/a7/62efdf428daeced2f769986a9fb7b5fe758745.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/aa/c82d7c9cc832d7bbe15931e59f30bde437cd2e.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/b3/283cc5c2f69cfc0676a761be9c6e8e729e294e.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/b9/f3f652689dd0027df979dbd3b2461c02cee7ee.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/c7/9c4cb9e1327a84d73ab799f24d0f1860040abc.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/d0/8fcae651e574ab3a7765c9846e6b34d1e60a1a.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/e3/43ca492172fe1d8c426174bd2f708e956c79b6.debug
Files in first .changes but not in second
-----------------------------------------
-rw-r--r-- root/root /usr/lib/debug/.build-id/07/330f263bd6a4bfaaa9e596d94a350b58465fd2.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/42/0705865d45ef8ee44df021faebd2d5dbaf367f.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/44/adc09d84064fce6502bde9515aa76575bf3e23.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/62/a96dd1bf3349d78f45438e7e70052d3a8ea272.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/71/46d417b22d8ac85fa1166611891d13bd7cf228.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/a8/a7f2bc90f8ca9c004cfdda82cff99f1365de1a.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/b5/6ff25a3b0eac3ef301a647477f6ef8ab74952a.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/c2/c6ee2e36a33063945824150c9b470e3effe8b6.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/c8/67e4ea4ebddc6efebc80de017059a697d7cd25.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/d4/d2c2d252df9afb1945846af9f2d00a5c58b0a1.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/e7/61857bfe340da61e0253c327513ce8eb7b0f9f.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/f3/7662896c4906590aa01b71d7a4278c94b24c9e.debug
-rw-r--r-- root/root /usr/lib/debug/.build-id/fb/cd2c875f651cdfd245659faa007db69d81685a.debug
Control files of package firebird-dev: lines which differ (wdiff format)
------------------------------------------------------------------------
Depends: libfbclient2 (>= [-3.0.1.32609.ds4-13),-] {+3.0.1.32609.ds4-14),+} libib-util (>= [-3.0.1.32609.ds4-13),-] {+3.0.1.32609.ds4-14),+} firebird3.0-common-doc (= [-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}
Control files of package firebird3.0-common: lines which differ (wdiff format)
------------------------------------------------------------------------------
Depends: firebird3.0-common-doc (= [-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}
Control files of package firebird3.0-common-doc: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Installed-Size: [-178-] {+179+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}
Control files of package firebird3.0-doc: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: firebird3.0-common-doc (= [-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}
Control files of package firebird3.0-examples: lines which differ (wdiff format)
--------------------------------------------------------------------------------
Depends: firebird3.0-common-doc (= [-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}
Control files of package firebird3.0-server: lines which differ (wdiff format)
------------------------------------------------------------------------------
Depends: adduser, libc6 (>= 2.17), libfbclient2 (>= 3.0.0~svn20110219r52404.ds3), libgcc1 (>= 1:3.0), libncurses5 (>= 6), libstdc++6 (>= 4.1.1), libtinfo5 (>= 6), libtommath1, firebird3.0-common (= [-3.0.1.32609.ds4-13),-] {+3.0.1.32609.ds4-14),+} firebird3.0-server-core (= [-3.0.1.32609.ds4-13),-] {+3.0.1.32609.ds4-14),+} firebird3.0-utils (= [-3.0.1.32609.ds4-13),-] {+3.0.1.32609.ds4-14),+} lsb-base (>= 3.0-6), debconf (>= 1.4.69), init-system-helpers (>= 1.18~), firebird3.0-common-doc (= [-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}
Control files of package firebird3.0-server-core: lines which differ (wdiff format)
-----------------------------------------------------------------------------------
Depends: libc6 (>= 2.17), libfbclient2 (>= 3.0.0~svn20110219r52404.ds3), libgcc1 (>= 1:3.0), libib-util (>= 2.5.0.23247~Beta1.ds2), libncurses5 (>= 6), libstdc++6 (>= 4.1.1), libtinfo5 (>= 6), libtommath1, firebird3.0-common (= [-3.0.1.32609.ds4-13),-] {+3.0.1.32609.ds4-14),+} firebird3.0-common-doc (= [-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Installed-Size: [-9434-] {+9438+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}
Control files of package firebird3.0-server-core-dbgsym: lines which differ (wdiff format)
------------------------------------------------------------------------------------------
Build-Ids: [-07330f263bd6a4bfaaa9e596d94a350b58465fd2-] {+2526d884a03a897414ddc119495a8272e0badc4e+} 3359b2dd874e8f2e71e45d725bfab92bec11d1b7 {+51913a1b8f3d8fc3b95b1133153b3b95e1e802ed+} 5cf6ce74c1c61eb719ea59d1adcf674e41162067 [-62a96dd1bf3349d78f45438e7e70052d3a8ea272-] 7986b79b8482b25799ae5979ccf04e268eaf47f0 [-c2c6ee2e36a33063945824150c9b470e3effe8b6 e761857bfe340da61e0253c327513ce8eb7b0f9f f37662896c4906590aa01b71d7a4278c94b24c9e fbcd2c875f651cdfd245659faa007db69d81685a-] {+a762efdf428daeced2f769986a9fb7b5fe758745 aac82d7c9cc832d7bbe15931e59f30bde437cd2e c79c4cb9e1327a84d73ab799f24d0f1860040abc e343ca492172fe1d8c426174bd2f708e956c79b6+}
Depends: firebird3.0-server-core (= [-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Installed-Size: [-46624-] {+46631+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}
Control files of package firebird3.0-server-dbgsym: lines which differ (wdiff format)
-------------------------------------------------------------------------------------
Build-Ids: 104955183697b0906380698ae585af83082b0f65 [-a8a7f2bc90f8ca9c004cfdda82cff99f1365de1a c867e4ea4ebddc6efebc80de017059a697d7cd25-] {+3acd69f8972e1784250ad9c7ffbdfa076ec29a8f d08fcae651e574ab3a7765c9846e6b34d1e60a1a+} ffcfa0b3b83b7b300ad7375331c8f164229588f6
Depends: firebird3.0-server (= [-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Installed-Size: [-5739-] {+5742+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}
Control files of package firebird3.0-utils: lines which differ (wdiff format)
-----------------------------------------------------------------------------
Depends: libc6 (>= 2.17), libedit2 (>= 2.11-20080614), libfbclient2 (>= 3.0.0~svn20110219r52404.ds3), libgcc1 (>= 1:3.0), libncurses5 (>= 6), libstdc++6 (>= 4.1.1), libtinfo5 (>= 6), libtommath1, firebird3.0-common (= [-3.0.1.32609.ds4-13),-] {+3.0.1.32609.ds4-14),+} firebird3.0-common-doc (= [-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}
Control files of package firebird3.0-utils-dbgsym: lines which differ (wdiff format)
------------------------------------------------------------------------------------
Build-Ids: [-44adc09d84064fce6502bde9515aa76575bf3e23-] {+0e1030fbf8dc2030144882fb090405d3f7445a88 254d0e1c45debc6abdbc915669347a8d5c41d2ee 43b6efe476c4c5489438c808ceac3b3fc73a4be9+} 6a2a5fff04a1340e3917572e49bc6e6bda296c9e [-7146d417b22d8ac85fa1166611891d13bd7cf228-] a0bc7dfe3c6ba175ce9df5db3c5ae98049ee2a6c [-b56ff25a3b0eac3ef301a647477f6ef8ab74952a-] {+b3283cc5c2f69cfc0676a761be9c6e8e729e294e+} d2d1f584022944f85e91e0c8118130c0597fa44c [-d4d2c2d252df9afb1945846af9f2d00a5c58b0a1-] d5cdce411d259abb900d2810dcec7c3b7c83d1d5
Depends: firebird3.0-utils (= [-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Installed-Size: [-11490-] {+11492+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}
Control files of package libfbclient2: lines which differ (wdiff format)
------------------------------------------------------------------------
Depends: libc6 (>= 2.17), libgcc1 (>= 1:3.0), libncurses5 (>= 6), libstdc++6 (>= 4.1.1), libtinfo5 (>= 6), libtommath1, firebird3.0-common (= [-3.0.1.32609.ds4-13),-] {+3.0.1.32609.ds4-14),+} firebird3.0-common-doc (= [-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}
Control files of package libfbclient2-dbgsym: lines which differ (wdiff format)
-------------------------------------------------------------------------------
Build-Ids: [-420705865d45ef8ee44df021faebd2d5dbaf367f-] {+b9f3f652689dd0027df979dbd3b2461c02cee7ee+}
Depends: libfbclient2 (= [-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Installed-Size: [-5611-] {+5613+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}
Control files of package libib-util: lines which differ (wdiff format)
----------------------------------------------------------------------
Depends: libc6 (>= 2.2.5), libgcc1 (>= 1:3.0), libstdc++6 (>= 4.1.1), firebird3.0-common-doc (= [-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}
Control files of package libib-util-dbgsym: lines which differ (wdiff format)
-----------------------------------------------------------------------------
Depends: libib-util (= [-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}
More information about the pkg-firebird-general
mailing list