Spencer McIntyre reports: The FirebirdSQL server is vulnerable to a stack buffer overflow that can be triggered when an unauthenticated user sends a specially crafted packet. The result can lead to remote code execution as the user which runs the FirebirdSQL server. Alexander Peshkov adds: A reason is a bug when extracting a group number from the CNCT info, sent by client. Size of received data was not checked. Bug exists from the first most days of firebird. The main irony here is that this group info was never used later in the code, and therefore was cleaned up in the trunk. I.e. trunk does not require fixing. This is fixed in snapshot builds, build numbers are 26623 for v2.5 and 18514 for v2.1. Fix available in upstream SVN repository for B2_5_Release branch (revision 57728). Reproducible: Steps to Reproduce:
Updates should be available for Mageia 2 and Cauldron
QA Contact: (none) => security
Then you can reassign to QA. https://wiki.mageia.org/en/Updates_policy
Component: RPM Packages => SecurityWhiteboard: (none) => MGA2TOO
Assignee: bugsquad => qa-bugs
Philippe we need srpm and rpms listing please.
Version: Cauldron => 2Whiteboard: MGA2TOO => (none)
Whiteboard: (none) => feedback
sorry main package is firebird-2.5.2.26539-2.mga2 (seems that cauldron is not pushed yet) SRPM: firebird-2.5.2.26539-2.mga2.src.rpm ----------------------------------------- firebird-classic firebird-devel firebird firebird-server-classic firebird-server-common firebird-server-superserver firebird-superclassic firebird-superserver firebird-utils-classic firebird-utils-common firebird-utils-superserver lib64fbclient2 lib64fbembed2
Debian has issued an advisory for this on March 15: http://www.debian.org/security/2013/dsa-2648 It also lists CVE-2012-5529, but the CVE entry says that affects 2.5.0 and 2.5.1. Also, firebird has now been pushed in Cauldron. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2492 http://www.debian.org/security/2013/dsa-2648 http://tracker.firebirdsql.org/browse/CORE-4058
URL: http://tracker.firebirdsql.org/browse/CORE-4058 => http://lwn.net/Vulnerabilities/543278/CC: (none) => luigiwalserWhiteboard: feedback => (none)
I confirm CVE-2012-5529 was fixed in firebird 2.5.2 http://tracker.firebirdsql.org/browse/CORE-3884 Mageia 2 and cauldron packages were only afected by CVE-2013-2492
PoC: attached to http://tracker.firebirdsql.org/browse/CORE-4058
Testing x86_64 Before ------ Confirmed the crash using bof.py # service firebird-superserver start Starting firebird-superserver (via systemctl): [ OK ] # watch -n 1 "ps u -C fbserver" In a separate terminal tab $ python bof.py localhost Noticing the Process ID of fbserver changes each time bof.py is run. fbguard restarts it instantly IINM. Ctrl-C to exit 'watch'. After ----- # service firebird-superserver restart Restarting firebird-superserver (via systemctl): [ OK ] # watch -n 1 "ps u -C fbserver" $ python bof.py localhost PID remains unchanging so server is no longer crashing.
Whiteboard: (none) => has_procedure mga2-64-ok
Philippe can you recommend a basic way to test firebird itself? from /usr/share/doc/firebird-server-common/firebird.mga.releasenote # gsec -user sysdba -pass masterkey -mo sysdba -pw icuryy4me Warning - maximum 8 significant bytes of password used use gsec -? to get help Your user name and password are not defined. Ask your database administrator to set up a Firebird login. unable to open database
Whiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok? feedback
Docs say this should create a user and database but it doesn't seem to. $ isql-fb -u testuser -p testpassword SQL> create database 'testdb'; Statement failed, SQLSTATE = 28000 Your user name and password are not defined. Ask your database administrator to set up a Firebird login. SQL> quit;
$ isql-fb -user sysdba -pass masterkey Use CONNECT or CREATE DATABASE to specify a database SQL> create user sonny password 'cher_ie'; Use CONNECT or CREATE DATABASE to specify a database SQL> alter user sonny password 'anewpass'; Use CONNECT or CREATE DATABASE to specify a database SQL> quit; $ isql-fb -user sonny -pass anewpass Use CONNECT or CREATE DATABASE to specify a database SQL> create database 'testdb'; Statement failed, SQLSTATE = 28000 Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
Following procedure from last update has the same result.. https://bugs.mageia.org/show_bug.cgi?id=8046#c0 $ isql-fb localhost:employee -user SYSDBA -password masterkey Statement failed, SQLSTATE = 28000 Your user name and password are not defined. Ask your database administrator to set up a Firebird login. Use CONNECT or CREATE DATABASE to specify a database SQL>
False alarm, problem solved. It must have had old data. Cured by deleting /var/lib/firebird after uninstalling. Tested OK with the previous procedure from bug 8046
Whiteboard: has_procedure mga2-64-ok? feedback => has_procedure mga2-64-ok
Testing complete mga2 32 Validating Advisory ----------- The FirebirdSQL server is vulnerable to a stack buffer overflow that can be triggered when an unauthenticated user sends a specially crafted packet. The result can lead to remote code execution as the user which runs the FirebirdSQL server. (CVE-2013-2492) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2492 http://www.debian.org/security/2013/dsa-2648 http://tracker.firebirdsql.org/browse/CORE-4058 ---------------- SRPM: firebird-2.5.2.26539-2.mga2.src.rpm Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-okCC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0102
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED