Bug 14726

Summary: firebird: Segfault in server caused by bad packet (CVE-2014-9323)
Product: Mageia Reporter: Philippe Makowski <makowski.mageia>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: lewyssmith, olchal, sysadmin-bugs, wilcal.int
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/625784/
Whiteboard: has_procedure advisory MGA4-64-OK MGA4-32-OK
Source RPM: firebird-2.5.2.26540-3.mga4 CVE:
Status comment:

Description Philippe Makowski 2014-12-04 16:56:20 CET 
This is a security fix

upstream bug report :
http://tracker.firebirdsql.org/browse/CORE-4629
http://tracker.firebirdsql.org/browse/CORE-4630

upstream official announce coming, CVE ID requested by upstream

tests procedures can be found in mga#9322 and mga#8046

firebird-2.5.2.26540-4.mga4 and firebird-2.5.3.26778-4.mga5 have the upstream patch to fix the problem



Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-12-04 18:00:32 CET 
I guess you can assign to QA when there's a CVE and an announcement.  I don't know anything about the CVE request, as it didn't happen on oss-security.

Packages built:
firebird-2.5.2.26540-4.mga4
firebird-classic-2.5.2.26540-4.mga4
firebird-superclassic-2.5.2.26540-4.mga4
firebird-superserver-2.5.2.26540-4.mga4
firebird-devel-2.5.2.26540-4.mga4
firebird-utils-classic-2.5.2.26540-4.mga4
firebird-utils-superserver-2.5.2.26540-4.mga4
firebird-utils-common-2.5.2.26540-4.mga4
libfbclient2-2.5.2.26540-4.mga4
libfbembed2-2.5.2.26540-4.mga4
firebird-server-classic-2.5.2.26540-4.mga4
firebird-server-superserver-2.5.2.26540-4.mga4
firebird-server-common-2.5.2.26540-4.mga4

from firebird-2.5.2.26540-4.mga4.src.rpm

Assignee: security => makowski.mageia
QA Contact: (none) => security

Comment 2 Philippe Makowski 2014-12-09 14:09:44 CET 
The official announce :
These updates fix the recently discovered security vulnerability (CORE-4630) that may be used for a remote DoS attack performed by unauthorized users

ref : 
 - http://www.firebirdsql.org/en/news/security-updates-for-v2-1-and-v2-5-series-66011/
 - http://tracker.firebirdsql.org/browse/CORE-4630

Assignee: makowski.mageia => qa-bugs

Philippe Makowski 2014-12-09 17:18:55 CET

Component: RPM Packages => Security

Philippe Makowski 2014-12-09 17:19:54 CET

Whiteboard: (none) => has_procedure

Comment 3 William Kenney 2014-12-09 19:52:31 CET 
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
firebird firebird-classic firebird-server-classic firebird-server-common
firebird-utils-classic firebird-utils-common

default install of firebird firebird-classic firebird-server-classic
firebird-server-common firebird-utils-classic firebird-utils-common

[root@localhost wilcal]# urpmi firebird
Package firebird-2.5.2.26540-3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi firebird-classic
Package firebird-classic-2.5.2.26540-3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi firebird-server-classic
Package firebird-server-classic-2.5.2.26540-3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi firebird-server-common
Package firebird-server-common-2.5.2.26540-3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi firebird-utils-classic
Package firebird-utils-classic-2.5.2.26540-3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi firebird-utils-common
Package firebird-utils-common-2.5.2.26540-3.mga4.i586 is already installed

Per https://bugs.mageia.org/show_bug.cgi?id=9322#c8
[root@localhost wilcal]# service firebird-superserver start
Cannot find firebird-superserver service
[root@localhost wilcal]# service firebird-server-classic start
Cannot find firebird-server-classic service
[root@localhost wilcal]# service firebird-server-common start
Cannot find firebird-server-common service

Have we a simple easier way to ensure this installed and is working properly?

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 4 olivier charles 2014-12-09 21:22:41 CET 
(In reply to William Kenney from comment #3)

> [root@localhost wilcal]# service firebird-superserver start
> Cannot find firebird-superserver service
> [root@localhost wilcal]# service firebird-server-classic start
> Cannot find firebird-server-classic service
> [root@localhost wilcal]# service firebird-server-common start
> Cannot find firebird-server-common service
> 
> Have we a simple easier way to ensure this installed and is working properly?
> 

Commands I found to start firebird services : 

With firebird-server-superserver
# systemctl start firebird-superserver

With firebird-server-classic
# systemctl start firebird-classic.socket

I'm currently testing it on Mageia 4x64

CC: (none) => olchal

Comment 5 Lewis Smith 2014-12-09 21:46:54 CET 
(In reply to olivier charles from comment #4)
> I'm currently testing it on Mageia 4x64
If you don't win, I shall have a go also.
From the links given, this looks useful:-
 http://tracker.firebirdsql.org/browse/CORE-4630 ->
 http://tracker.firebirdsql.org/secure/attachment/12642/crash.cpp
the latter apparently a program to show the fault (POC). "Test program causing server to die". Could be useful...

CC: (none) => lewyssmith

Comment 6 olivier charles 2014-12-09 22:27:11 CET 
Testing on Mageia 4x64, real hardware

Current packages :
----------------

- firebird-classic-2.5.2.26540-3.mga4.x86_64
# systemctl start firebird-classic.socket
# systemctl status -l firebird-classic.socket
firebird-classic.socket - Firebird Classic Activation Socket
   Loaded: loaded (/usr/lib/systemd/system/firebird-classic.socket; disabled)
   Active: active (listening) since mar. 2014-12-09 21:27:40 CET; 8s ago
   Listen: [::]:3050 (Stream)
 Accepted: 0; Connected: 0
 
- firebird-superserver-2.5.2.26540-3.mga4.x86_64
# systemctl status firebird-superserver
firebird-superserver.service - Firebird Database Server ( SuperServer )
   Loaded: loaded (/usr/lib/systemd/system/firebird-superserver.service; enabled)
   Active: active (running) since mar. 2014-12-09 22:00:23 CET; 4s ago

 
- firebird-superclassic-2.5.2.26540-3.mga4.x86_64
 # systemctl start firebird-superclassic
 # systemctl status firebird-superclassic
firebird-superclassic.service - Firebird Database Server ( SuperClassic )
   Loaded: loaded (/usr/lib/systemd/system/firebird-superclassic.service; enabled)
   Active: active (running) since mar. 2014-12-09 21:43:00 CET; 2min 57s ago
  
Used example found here : https://bugs.mageia.org/show_bug.cgi?id=8046#c0

$ isql-fb localhost:employee -user SYSDBA -password masterkey
Database:  localhost:employee, User: SYSDBA
SQL> create table t (col1 int, col2 int, col3 int);
SQL> insert into t values (100, 200, 300);
SQL> insert into t values (101, 201, 301);
SQL> insert into t values (102, 202, 302);
SQL> commit;
SQL> alter table t drop col1;
SQL> select col2, col3 from t as t1 where exists (select * from t as t2 order by t1.col2 );

        COL2         COL3 
============ ============ 
         200          300 
         201          301 
         202          302 

SQL> commit;
SQL> drop table t;
SQL> exit;

With updated-testing packages :
-----------------------------

- firebird-server-superserver-2.5.2.26540-4.mga4.x86_64
could start/stop/disable/enable service
Could test the isql -fb commands shown in example, which ran OK

- firebird-classic-2.5.2.26540-3.mga4.x86_64
could start/stop/disable/enable service

- firebird-superclassic-2.5.2.26540-4.mga4.x86_64
could start/stop/disable/enable service

Didn't know what to make with the crash.cpp file in PoC mentionned by Lewis in Comment 5.

What I saw seems OK to me otherwise.
Comment 7 olivier charles 2014-12-09 22:29:43 CET 
Made an error in Comment 6,
With updated-testing packages, that was firebird-classic-2.5.2.26540-4.mga4.x86_64 I used (and not 26540-3 as I wrote).
Comment 8 Philippe Makowski 2014-12-10 01:18:57 CET 
I ran tests under mga4 32 so it seems that all is ok

Suggested Advisory
-----------------------

These update fix the recently discovered security vulnerability (CORE-4630) that may be used for a remote DoS attack performed by unauthorized users

References: 
 - http://www.firebirdsql.org/en/news/security-updates-for-v2-1-and-v2-5-series-66011/
 - http://tracker.firebirdsql.org/browse/CORE-4630

Updated packages :
firebird-2.5.2.26540-4.mga4
firebird-classic-2.5.2.26540-4.mga4
firebird-superclassic-2.5.2.26540-4.mga4
firebird-superserver-2.5.2.26540-4.mga4
firebird-devel-2.5.2.26540-4.mga4
firebird-utils-classic-2.5.2.26540-4.mga4
firebird-utils-superserver-2.5.2.26540-4.mga4
firebird-utils-common-2.5.2.26540-4.mga4
libfbclient2-2.5.2.26540-4.mga4
libfbembed2-2.5.2.26540-4.mga4
firebird-server-classic-2.5.2.26540-4.mga4
firebird-server-superserver-2.5.2.26540-4.mga4
firebird-server-common-2.5.2.26540-4.mga4

from firebird-2.5.2.26540-4.mga4.src.rpm

Whiteboard: has_procedure => has_procedure MGA4-64-OK MGA4-32-OK

Comment 9 claire robinson 2014-12-10 09:41:16 CET 
Thanks Philippe

Validating. Advisory uploaded.

Please push to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 10 David Walser 2014-12-10 16:40:00 CET 
CVE request:
http://openwall.com/lists/oss-security/2014/12/10/4
Comment 11 Mageia Robot 2014-12-10 21:10:27 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0523.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-12-11 17:52:26 CET

URL: http://tracker.firebirdsql.org/browse/CORE-4629 => http://lwn.net/Vulnerabilities/625784/

David Walser 2014-12-11 22:41:34 CET

Summary: Segfault in server caused by bad packet => firebird: Segfault in server caused by bad packet

Comment 12 Philippe Makowski 2014-12-17 11:19:25 CET 
CVE id  : CVE-2014-9323

Summary: firebird: Segfault in server caused by bad packet => firebird: Segfault in server caused by bad packet CVE-2014-9323

Comment 13 David Walser 2014-12-17 13:49:30 CET 
Strange, maybe RedHat gave it the CVE?  No response on oss-security.

Could someone add the CVE to the advisory in SVN?

Summary: firebird: Segfault in server caused by bad packet CVE-2014-9323 => firebird: Segfault in server caused by bad packet (CVE-2014-9323)

Comment 14 Philippe Makowski 2014-12-17 15:55:22 CET 
(In reply to David Walser from comment #13)
> Strange, maybe RedHat gave it the CVE?  No response on oss-security.
> 
Don't know
but RedHat made the change in the bug report:

https://bugzilla.redhat.com/show_bug.cgi?id=1172445

But only Suse is listed here :
http://www.security-database.com/detail.php?alert=CVE-2014-9323

and no details for me here :
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9323
Comment 15 David Walser 2014-12-22 20:06:01 CET 
LWN reference for CVE-2014-9323:
http://lwn.net/Vulnerabilities/627313/