I agree that this is a horrible coding style, but it's unlikely that
it's exploitable. As far as I can tell, the situation is follows:
* An attacker must change the system's error messages.
* This is only possible by setting LC_MESSAGES to a specially
crafted locale file.
* This in turn works only if you start the process from the command
line yourself, and the process must invoke the setlocale function.
Firebird does not seem to do this in the required way.
* This can only be a vulnerability if Firebird installs any
SUID/SGID binaries.
Further comments? I tend towards removing the security tag.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
