Bug#702736: firebird2.5: CVE-2013-2492: Request Processing Buffer Overflow Vulnerability

Damyan Ivanov Tue, 12 Mar 2013 01:57:21 -0700

-=| Salvatore Bonaccorso, 10.03.2013 22:14:30 +0100 |=-
> Source: firebird2.5
> Severity: grave
> Tags: security
> 
> Hi
> 
> the following vulnerability was published for firebird2.5.
> 
> CVE-2013-2492[0]:
> Request Processing Buffer Overflow Vulnerability
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see also [1] and [2].
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2492
>     http://security-tracker.debian.org/tracker/CVE-2013-2492
> [1] http://tracker.firebirdsql.org/browse/CORE-4058
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2492


Dear security team,

Please approve upload of firebird2.5 to stable-security with the 
attached (source) diff from the version currently in squeeze.

Attached is also the binary debdiff, just in case. It contains only 
version number changes.


Thanks,
    dam

diff -wu firebird2.5-2.5.0.26054~ReleaseCandidate3.ds2/debian/changelog firebird2.5-2.5.0.26054~ReleaseCandidate3.ds2/debian/changelog
--- firebird2.5-2.5.0.26054~ReleaseCandidate3.ds2/debian/changelog
+++ firebird2.5-2.5.0.26054~ReleaseCandidate3.ds2/debian/changelog
@@ -1,3 +1,15 @@
+firebird2.5 (2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1) stable-security; urgency=high
+
+  * Apply patch from upstream revision r57728 (unfuzzied) fixing a remote
+    unauthenticated stack overflow in the Firebird server (CVE-2013-2492)
+    CLoses: #702736
+  * Apply patch from upstream revision r54702 fixing a crash (NULL pointer
+    dereference) when peraring an empty SQL statement with trace services
+    enabled (CVE-2012-5529)
+    Closes: #693210
+
+ -- Damyan Ivanov <d...@debian.org>  Tue, 12 Mar 2013 10:21:04 +0200
+
 firebird2.5 (2.5.0.26054~ReleaseCandidate3.ds2-1) unstable; urgency=low
 
   * New upstream release candidate
diff -wu firebird2.5-2.5.0.26054~ReleaseCandidate3.ds2/debian/patches/series firebird2.5-2.5.0.26054~ReleaseCandidate3.ds2/debian/patches/series
--- firebird2.5-2.5.0.26054~ReleaseCandidate3.ds2/debian/patches/series
+++ firebird2.5-2.5.0.26054~ReleaseCandidate3.ds2/debian/patches/series
@@ -17,0 +18,2 @@
+upstream/r54702-cve-2012-5529.patch
+upstream/r57728-cve-2013-2429.patch
only in patch2:
--- firebird2.5-2.5.0.26054~ReleaseCandidate3.ds2.orig/debian/patches/upstream/r54702-cve-2012-5529.patch
+++ firebird2.5-2.5.0.26054~ReleaseCandidate3.ds2/debian/patches/upstream/r54702-cve-2012-5529.patch
@@ -0,0 +1,20 @@
+Description: fix crash when preparing empty SQL statement with tracing enabled
+ Stolen from revision 54702 of upstream Subversion repository
+Origin: http://firebird.svn.sourceforge.net/viewvc/firebird/firebird/branches/B2_5_Release/src/jrd/trace/TraceDSQLHelpers.h?r1=54702&r2=54701&pathrev=54702
+Bug: http://tracker.firebirdsql.org/browse/CORE-3884
+Bug-Debian: http://bugs.debian.org/693210
+Forwarded: not-needed
+Author: Vlad Khorsun <hv...@sourceforge.net>
+Applied-Upstream: 2.5.2
+
+--- a/src/jrd/trace/TraceDSQLHelpers.h
++++ b/src/jrd/trace/TraceDSQLHelpers.h
+@@ -88,7 +88,7 @@ public:
+ 			Firebird::string str(*getDefaultMemoryPool(), m_string, m_string_len);
+ 
+ 			TraceFailedSQLStatement stmt(str);
+-			TraceManager::event_dsql_prepare(m_attachment, m_request->req_transaction,
++			TraceManager::event_dsql_prepare(m_attachment, m_request ? m_request->req_transaction : NULL,
+ 				&stmt, millis, result);
+ 		}
+ 	}
only in patch2:
--- firebird2.5-2.5.0.26054~ReleaseCandidate3.ds2.orig/debian/patches/upstream/r57728-cve-2013-2429.patch
+++ firebird2.5-2.5.0.26054~ReleaseCandidate3.ds2/debian/patches/upstream/r57728-cve-2013-2429.patch
@@ -0,0 +1,26 @@
+From: alexpeshkoff <alexpeshkoff@65644016-39b1-43b1-bf79-96bc8fe82c15>
+Date: Wed, 6 Mar 2013 11:33:08 +0000 (+0000)
+Subject: Fixed CORE-4058
+ Fixes a remote, unauthenticated stack overflow
+ CVE-2013-2492
+X-Git-Url: http://anonscm.debian.org/gitweb/?p=pkg-firebird%2Fupstream.git;a=commitdiff_plain;h=9cacbca5093808e217ba68adaa469bd6179fb535
+Bug: http://tracker.firebirdsql.org/browse/CORE-4058
+Bug-Debian: http://bigs.debian.org/702736
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2492
+
+Fixed CORE-4058
+
+git-svn-id: svn://svn.code.sf.net/p/firebird/code/firebird/branches/B2_5_Release@57728 65644016-39b1-43b1-bf79-96bc8fe82c15
+---
+
+--- a/src/remote/inet.cpp
++++ b/src/remote/inet.cpp
+@@ -1056,7 +1056,7 @@ static bool accept_connection(rem_port*
+ 		case CNCT_group:
+ 			{
+ 				const size_t length = id.getClumpLength();
+-				if (length != 0)
++				if (length <= sizeof(eff_gid) && length > 0)
+ 				{
+ 					eff_gid = 0;
+ 					memcpy(&eff_gid, id.getBytes(), length);

File lists identical (after any substitutions)

Control files of package firebird2.5-classic: lines which differ (wdiff format)
-------------------------------------------------------------------------------
Depends: libc6 (>= 2.2.5), libfbembed2.5 (>= 2.5.0.25784~ReleaseCandidate1.ds2), libgcc1 (>= 1:4.1.1), libstdc++6 (>= 4.1.1), firebird2.5-common (= [-2.5.0.26054~ReleaseCandidate3.ds2-1+b1),-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1),+} netbase, firebird2.5-server-common (= [-2.5.0.26054~ReleaseCandidate3.ds2-1+b1),-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1),+} firebird2.5-classic-common (= [-2.5.0.26054~ReleaseCandidate3.ds2-1+b1),-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1),+} openbsd-inetd | inet-superserver, debconf (>= 0.5) | debconf-2.0, debconf (>= 1.4.69) | cdebconf (>= 0.43), firebird2.5-common-doc (= [-2.5.0.26054~ReleaseCandidate3.ds2-1)-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1)+}
Source: firebird2.5 [-(2.5.0.26054~ReleaseCandidate3.ds2-1)-]
Version: [-2.5.0.26054~ReleaseCandidate3.ds2-1+b1-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1+}

Control files of package firebird2.5-classic-common: lines which differ (wdiff format)
--------------------------------------------------------------------------------------
Source: firebird2.5 [-(2.5.0.26054~ReleaseCandidate3.ds2-1)-]
Version: [-2.5.0.26054~ReleaseCandidate3.ds2-1+b1-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1+}

Control files of package firebird2.5-common: lines which differ (wdiff format)
------------------------------------------------------------------------------
Depends: libc6 (>= 2.3), libgcc1 (>= 1:4.1.1), libicu44 (>= 4.4.1-1), libstdc++6 (>= 4.1.1), firebird2.5-common-doc (= [-2.5.0.26054~ReleaseCandidate3.ds2-1)-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1)+}
Source: firebird2.5 [-(2.5.0.26054~ReleaseCandidate3.ds2-1)-]
Version: [-2.5.0.26054~ReleaseCandidate3.ds2-1+b1-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1+}

Control files of package firebird2.5-common-doc: lines which differ (wdiff format)
----------------------------------------------------------------------------------
Installed-Size: [-768-] {+752+}
Version: [-2.5.0.26054~ReleaseCandidate3.ds2-1-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1+}

Control files of package firebird2.5-dev: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: libfbclient2 (>= [-2.5.0.26054~ReleaseCandidate3.ds2-1),-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1),+} libib-util, firebird2.5-common-doc (= [-2.5.0.26054~ReleaseCandidate3.ds2-1)-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1)+}
Installed-Size: [-368-] {+352+}
Version: [-2.5.0.26054~ReleaseCandidate3.ds2-1-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1+}

Control files of package firebird2.5-doc: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: firebird2.5-common-doc (= [-2.5.0.26054~ReleaseCandidate3.ds2-1)-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1)+}
Installed-Size: [-704-] {+696+}
Version: [-2.5.0.26054~ReleaseCandidate3.ds2-1-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1+}

Control files of package firebird2.5-examples: lines which differ (wdiff format)
--------------------------------------------------------------------------------
Depends: firebird2.5-common-doc (= [-2.5.0.26054~ReleaseCandidate3.ds2-1)-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1)+}
Installed-Size: [-312-] {+304+}
Version: [-2.5.0.26054~ReleaseCandidate3.ds2-1-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1+}

Control files of package firebird2.5-server-common: lines which differ (wdiff format)
-------------------------------------------------------------------------------------
Depends: adduser, libc6 (>= 2.3.2), libfbclient2 (>= 2.5.0.25784~ReleaseCandidate1.ds2), libgcc1 (>= 1:4.1.1), libstdc++6 (>= 4.1.1), firebird2.5-common-doc (= [-2.5.0.26054~ReleaseCandidate3.ds2-1)-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1)+}
Installed-Size: [-2216-] {+2212+}
Source: firebird2.5 [-(2.5.0.26054~ReleaseCandidate3.ds2-1)-]
Version: [-2.5.0.26054~ReleaseCandidate3.ds2-1+b1-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1+}

Control files of package firebird2.5-super: lines which differ (wdiff format)
-----------------------------------------------------------------------------
Depends: libc6 (>= 2.3.2), libedit2 (>= 2.11-20080614-1), libfbclient2 (>= 2.5.0.25784~ReleaseCandidate1.ds2), libgcc1 (>= 1:4.1.1), libib-util (>= 2.5.0.23247~Beta1.ds2), libicu44 (>= 4.4.1-1), libstdc++6 (>= 4.1.1), firebird2.5-common (= [-2.5.0.26054~ReleaseCandidate3.ds2-1+b1),-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1),+} firebird2.5-server-common (= [-2.5.0.26054~ReleaseCandidate3.ds2-1+b1),-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1),+} lsb-base, debconf (>= 0.5) | debconf-2.0, debconf (>= 1.4.69) | cdebconf (>= 0.43), firebird2.5-common-doc (= [-2.5.0.26054~ReleaseCandidate3.ds2-1)-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1)+}
Source: firebird2.5 [-(2.5.0.26054~ReleaseCandidate3.ds2-1)-]
Version: [-2.5.0.26054~ReleaseCandidate3.ds2-1+b1-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1+}

Control files of package firebird2.5-superclassic: lines which differ (wdiff format)
------------------------------------------------------------------------------------
Depends: libc6 (>= 2.3), libfbembed2.5 (>= 2.5.0.25784~ReleaseCandidate1.ds2), libgcc1 (>= 1:4.1.1), libstdc++6 (>= 4.1.1), firebird2.5-common (= [-2.5.0.26054~ReleaseCandidate3.ds2-1+b1),-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1),+} netbase, firebird2.5-server-common (= [-2.5.0.26054~ReleaseCandidate3.ds2-1+b1),-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1),+} firebird2.5-classic-common (= [-2.5.0.26054~ReleaseCandidate3.ds2-1+b1),-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1),+} firebird2.5-common-doc (= [-2.5.0.26054~ReleaseCandidate3.ds2-1),-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1),+} lsb-base, debconf (>= 0.5) | debconf-2.0, debconf (>= 1.4.69) | cdebconf (>= 0.43)
Source: firebird2.5 [-(2.5.0.26054~ReleaseCandidate3.ds2-1)-]
Version: [-2.5.0.26054~ReleaseCandidate3.ds2-1+b1-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1+}

Control files of package libfbclient2: lines which differ (wdiff format)
------------------------------------------------------------------------
Depends: libc6 (>= 2.3), firebird2.5-common (= [-2.5.0.26054~ReleaseCandidate3.ds2-1+b1),-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1),+} firebird2.5-common-doc (= [-2.5.0.26054~ReleaseCandidate3.ds2-1)-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1)+}
Source: firebird2.5 [-(2.5.0.26054~ReleaseCandidate3.ds2-1)-]
Version: [-2.5.0.26054~ReleaseCandidate3.ds2-1+b1-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1+}

Control files of package libfbembed2.5: lines which differ (wdiff format)
-------------------------------------------------------------------------
Depends: libc6 (>= 2.3.2), libgcc1 (>= 1:4.1.1), libicu44 (>= 4.4.1-1), libstdc++6 (>= 4.1.1), firebird2.5-common (= [-2.5.0.26054~ReleaseCandidate3.ds2-1+b1),-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1),+} firebird2.5-server-common (= [-2.5.0.26054~ReleaseCandidate3.ds2-1+b1),-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1),+} firebird2.5-common-doc (= [-2.5.0.26054~ReleaseCandidate3.ds2-1)-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1)+}
Source: firebird2.5 [-(2.5.0.26054~ReleaseCandidate3.ds2-1)-]
Version: [-2.5.0.26054~ReleaseCandidate3.ds2-1+b1-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1+}

Control files of package libib-util: lines which differ (wdiff format)
----------------------------------------------------------------------
Depends: libc6 (>= 2.2.5), libgcc1 (>= 1:4.1.1), libstdc++6 (>= 4.1.1), firebird2.5-common-doc (= [-2.5.0.26054~ReleaseCandidate3.ds2-1)-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1)+}
Source: firebird2.5 [-(2.5.0.26054~ReleaseCandidate3.ds2-1)-]
Version: [-2.5.0.26054~ReleaseCandidate3.ds2-1+b1-] {+2.5.0.26054~ReleaseCandidate3.ds2-1+squeeze1+}

signature.asc
Description: Digital signature

Bug#702736: firebird2.5: CVE-2013-2492: Request Processing Buffer Overflow Vulnerability

Reply via email to