Bug 20324

Summary: firebird new security issue CORE-5474 (CVE-2017-6369)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/715043/
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Source RPM: firebird-2.5.3.26778-4.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-02-20 01:20:08 CET 
openSUSE has issued an advisory today (February 19):
https://lists.opensuse.org/opensuse-updates/2017-02/msg00093.html

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated firebird packages fix security vulnerability:

A serious security problem existed with the access to undesired external
modules, even if 'Restrict' configuration mode was specified for UdfAccess
(CORE-5474).

References:
https://sourceforge.net/p/firebird/mailman/message/35666077/
http://tracker.firebirdsql.org/browse/CORE-5474
https://lists.opensuse.org/opensuse-updates/2017-02/msg00093.html
========================

Updated packages in core/updates_testing:
========================
firebird-2.5.3.26778-4.1.mga5
firebird-classic-2.5.3.26778-4.1.mga5
firebird-superclassic-2.5.3.26778-4.1.mga5
firebird-superserver-2.5.3.26778-4.1.mga5
firebird-devel-2.5.3.26778-4.1.mga5
firebird-utils-classic-2.5.3.26778-4.1.mga5
firebird-utils-superserver-2.5.3.26778-4.1.mga5
firebird-utils-common-2.5.3.26778-4.1.mga5
libfbclient2-2.5.3.26778-4.1.mga5
libfbembed2-2.5.3.26778-4.1.mga5
firebird-server-classic-2.5.3.26778-4.1.mga5
firebird-server-superserver-2.5.3.26778-4.1.mga5
firebird-server-common-2.5.3.26778-4.1.mga5

from firebird-2.5.3.26778-4.1.mga5.src.rpm
Dave Hodgins 2017-02-20 04:35:43 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

David Walser 2017-02-21 11:54:53 CET

URL: (none) => https://lwn.net/Vulnerabilities/715043/

Comment 1 Herman Viaene 2017-02-21 15:09:02 CET 
MGA5-32 on Asus A6000VM Xfce
All packages do not install as one cannot install firebird-classic AND the "super" versions together.
Used bug 8046 as test procedure
as root:
# systemctl start firebird-classic.socket
# systemctl -l status firebird-classic.socket
â firebird-classic.socket - Firebird Classic Activation Socket
   Loaded: loaded (/usr/lib/systemd/system/firebird-classic.socket; disabled)
   Active: active (listening) since di 2017-02-21 14:56:47 CET; 20s ago
   Listen: [::]:3050 (Stream)
 Accepted: 0; Connected: 0
As normal user:
$ isql-fb localhost:employee -user SYSDBA -password masterkey
Database:  localhost:employee, User: SYSDBA
SQL> create table t (col1 int, col2 int, col3 int);
SQL> insert into t values (100, 200, 300);
SQL> insert into t values (101, 201, 301);
SQL> insert into t values (102, 202, 302);
SQL> commit;
SQL> select * from t;

        COL1         COL2         COL3 
============ ============ ============ 
         100          200          300 
         101          201          301 
         102          202          302 

SQL> select col2, col3 from t as t1 where exists (select * from t as t2 order by t1.col2 );

        COL2         COL3 
============ ============ 
         200          300 
         201          301 
         202          302 

SQL> alter table t drop col1; 
SQL> select col2, col3 from t as t1 where exists (select * from t as t2 order by t1.col2 );

        COL2         COL3 
============ ============ 
         200          300 
         201          301 
         202          302 

SQL> commit;
SQL> select col2, col3 from t as t1 where exists (select * from t as t2 order by t1.col2 );

        COL2         COL3 
============ ============ 
         200          300 
         201          301 
         202          302 

SQL> drop table t;
Statement failed, SQLSTATE = 42000
unsuccessful metadata update
-object TABLE "T" is in use
SQL> commit;
SQL> drop table t;
SQL> exit;

CC: (none) => herman.viaene

Herman Viaene 2017-02-21 15:09:21 CET

Whiteboard: advisory => advisory MGA5-32-OK

Comment 2 Lewis Smith 2017-02-26 21:32:40 CET 
Testing M5_64

BEFORE the update
Installed from issued repositories:
 firebird-server-common-2.5.3.26778-4.mga5
 firebird-server-classic-2.5.3.26778-4.mga5
 firebird-classic-2.5.3.26778-4.mga5
 firebird-utils-common-2.5.3.26778-4.mga5
 firebird-utils-classic-2.5.3.26778-4.mga5

Ran the tests as indicated by Herman above from
 https://bugs.mageia.org/show_bug.cgi?id=8046#c0
[but where did you find out about socket rather than service - which does not exist?]

# systemctl start firebird-classic.socket
# systemctl status firebird-classic.socket
â firebird-classic.socket - Firebird Classic Activation Socket
   Loaded: loaded (/usr/lib/systemd/system/firebird-classic.socket; disabled)
   Active: active (listening) since Sul 2017-02-26 20:50:57 CET; 32s ago
   Listen: [::]:3050 (Stream)
 Accepted: 0; Connected: 0

$ isql-fb localhost:employee -user SYSDBA -password masterkey
Database:  localhost:employee, User: SYSDBA
SQL> create table t (col1 int, col2 int, col3 int);
SQL> insert into t values (100, 200, 300);
SQL> insert into t values (101, 201, 301);
SQL> insert into t values (102, 202, 302);
SQL> commit;
SQL> select * from t;
...
SQL> select col2, col3 from t as t1 where exists (select * from t as t2 order by t1.col2 );
...
SQL> alter table t drop col1;
SQL> commit;
SQL> select col2, col3 from t as t1 where exists (select * from t as t2 order by t1.col2 );
...
SQL> commit;
SQL> drop table t;
SQL> commit;
SQL> exit;
... = same output as shown in Comment 1.

# systemctl stop firebird-classic.socket

AFTER the update (accepted to use the rpmnew file):
 firebird-utils-classic-2.5.3.26778-4.1.mga5
 firebird-utils-common-2.5.3.26778-4.1.mga5
 firebird-server-classic-2.5.3.26778-4.1.mga5
 firebird-server-common-2.5.3.26778-4.1.mga5
 firebird-classic-2.5.3.26778-4.1.mga5

The entire root & user commands and output the same as previously.

Update OK. Validating, advisory already in place.

Keywords: (none) => validated_update
Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK
CC: (none) => lewyssmith, sysadmin-bugs

Comment 3 Mageia Robot 2017-02-26 23:03:00 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0068.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 4 Herman Viaene 2017-02-27 15:18:09 CET 
@Lewis
I don't remember and apparently did not make a note of it. Probably some other update bug for firebird.
Comment 5 David Walser 2017-03-31 15:22:13 CEST 
According to Debian, this is CVE-2017-6369:
https://www.debian.org/security/2017/dsa-3824

Summary: firebird new security issue CORE-5474 => firebird new security issue CORE-5474 (CVE-2017-6369)