Bug 9322

Summary: CVE-2013-2492 Firebird: CNCT info remote stack buffer overflow
Product: Mageia Reporter: Philippe Makowski <makowski.mageia>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: luigiwalser, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/543278/
Whiteboard: has_procedure mga2-64-ok mga2-32-ok
Source RPM: firebird-2.5.2.26539.0-6 CVE:
Status comment:

Description Philippe Makowski 2013-03-10 21:45:02 CET 
Spencer McIntyre reports:

The FirebirdSQL server is vulnerable to a stack buffer overflow that can be
triggered when an unauthenticated user sends a specially crafted packet. The
result can lead to remote code execution as the user which runs the FirebirdSQL
server. 

Alexander Peshkov adds:

A reason is a bug when extracting a group number from the CNCT info, sent by 
client. Size of received data was not checked. Bug exists from the first most 
days of firebird.

The main irony here is that this group info was never used later in the code, 
and therefore was cleaned up in the trunk. I.e. trunk does not require fixing. 

This is fixed in snapshot builds, build numbers are 26623 for v2.5 and 18514 
for v2.1. Fix available in upstream SVN repository for B2_5_Release branch
(revision 57728).

Reproducible: 

Steps to Reproduce:
Comment 1 Philippe Makowski 2013-03-10 22:03:21 CET 
Updates should be available for  
Mageia 2 and Cauldron
Philippe Makowski 2013-03-11 19:40:19 CET

QA Contact: (none) => security

Comment 2 Manuel Hiebel 2013-03-11 20:00:15 CET 
Then you can reassign to QA. 
https://wiki.mageia.org/en/Updates_policy

Component: RPM Packages => Security
Whiteboard: (none) => MGA2TOO

Philippe Makowski 2013-03-11 20:08:27 CET

Assignee: bugsquad => qa-bugs

Comment 3 claire robinson 2013-03-12 12:52:57 CET 
Philippe we need srpm and rpms listing please.
claire robinson 2013-03-12 12:53:12 CET

Version: Cauldron => 2
Whiteboard: MGA2TOO => (none)

claire robinson 2013-03-12 12:53:45 CET

Whiteboard: (none) => feedback

Comment 4 Philippe Makowski 2013-03-12 19:45:45 CET 
sorry
main package is  firebird-2.5.2.26539-2.mga2
(seems that cauldron is not pushed yet)

SRPM: firebird-2.5.2.26539-2.mga2.src.rpm
-----------------------------------------
firebird-classic
firebird-devel
firebird
firebird-server-classic
firebird-server-common
firebird-server-superserver
firebird-superclassic
firebird-superserver
firebird-utils-classic
firebird-utils-common
firebird-utils-superserver
lib64fbclient2
lib64fbembed2
Comment 5 David Walser 2013-03-18 21:52:43 CET 
Debian has issued an advisory for this on March 15:
http://www.debian.org/security/2013/dsa-2648

It also lists CVE-2012-5529, but the CVE entry says that affects 2.5.0 and 2.5.1.

Also, firebird has now been pushed in Cauldron.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2492
http://www.debian.org/security/2013/dsa-2648
http://tracker.firebirdsql.org/browse/CORE-4058

URL: http://tracker.firebirdsql.org/browse/CORE-4058 => http://lwn.net/Vulnerabilities/543278/
CC: (none) => luigiwalser
Whiteboard: feedback => (none)

Comment 6 Philippe Makowski 2013-03-18 22:01:55 CET 
I confirm CVE-2012-5529 was fixed in firebird 2.5.2 http://tracker.firebirdsql.org/browse/CORE-3884
Mageia 2 and cauldron packages were only afected by CVE-2013-2492
Comment 7 claire robinson 2013-03-21 14:57:09 CET 
PoC: attached to http://tracker.firebirdsql.org/browse/CORE-4058
Comment 8 claire robinson 2013-03-21 15:23:05 CET 
Testing x86_64

Before
------

Confirmed the crash using bof.py

# service firebird-superserver start
Starting firebird-superserver (via systemctl):                   [  OK  ]

# watch -n 1 "ps u -C fbserver"

In a separate terminal tab

$ python bof.py localhost

Noticing the Process ID of fbserver changes each time bof.py is run.
fbguard restarts it instantly IINM. Ctrl-C to exit 'watch'.

After
-----
# service firebird-superserver restart
Restarting firebird-superserver (via systemctl):                [  OK  ]
# watch -n 1 "ps u -C fbserver"

$ python bof.py localhost

PID remains unchanging so server is no longer crashing.

Whiteboard: (none) => has_procedure mga2-64-ok

Comment 9 claire robinson 2013-03-21 15:45:40 CET 
Philippe can you recommend a basic way to test firebird itself?

from /usr/share/doc/firebird-server-common/firebird.mga.releasenote

# gsec -user sysdba -pass masterkey -mo sysdba -pw icuryy4me
Warning - maximum 8 significant bytes of password used
use gsec -? to get help
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
unable to open database

Whiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok? feedback

Comment 10 claire robinson 2013-03-21 15:57:21 CET 
Docs say this should create a user and database but it doesn't seem to.

$ isql-fb -u testuser -p testpassword

SQL> create database 'testdb';
Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.

SQL> quit;
Comment 11 claire robinson 2013-03-21 16:06:08 CET 
$ isql-fb -user sysdba -pass masterkey
Use CONNECT or CREATE DATABASE to specify a database
SQL> create user sonny password 'cher_ie';
Use CONNECT or CREATE DATABASE to specify a database
SQL> alter user sonny password 'anewpass';
Use CONNECT or CREATE DATABASE to specify a database
SQL> quit;

$ isql-fb -user sonny -pass anewpass
Use CONNECT or CREATE DATABASE to specify a database
SQL> create database 'testdb';
Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
Comment 12 claire robinson 2013-03-21 16:10:28 CET 
Following procedure from last update has the same result..
https://bugs.mageia.org/show_bug.cgi?id=8046#c0

$ isql-fb localhost:employee -user SYSDBA -password masterkey
Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
Use CONNECT or CREATE DATABASE to specify a database
SQL>
Comment 13 claire robinson 2013-03-21 16:47:55 CET 
False alarm, problem solved. It must have had old data.
Cured by deleting /var/lib/firebird after uninstalling.

Tested OK with the previous procedure from bug 8046

Whiteboard: has_procedure mga2-64-ok? feedback => has_procedure mga2-64-ok

Comment 14 claire robinson 2013-03-21 16:56:17 CET 
Testing complete mga2 32

Validating

Advisory
-----------
The FirebirdSQL server is vulnerable to a stack buffer overflow that can be
triggered when an unauthenticated user sends a specially crafted packet. The
result can lead to remote code execution as the user which runs the FirebirdSQL
server. (CVE-2013-2492)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2492
http://www.debian.org/security/2013/dsa-2648
http://tracker.firebirdsql.org/browse/CORE-4058
----------------

SRPM: firebird-2.5.2.26539-2.mga2.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-ok
CC: (none) => sysadmin-bugs

Comment 15 Thomas Backlund 2013-04-02 22:07:38 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0102

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED