[debian-lts]Firebird2.1
Hi all,
I would like to send debdiff of package firebird2.1 for reviewing.
Could any one please review it and give me some comments.
Thanks and best regards
Cong
--
=====================================================================
Nguyen The Cong (Mr)
Software Engineer
Toshiba Software Development (Vietnam) Co.,Ltd
519 Kim Ma street, Ba Dinh District, Hanoi, Vietnam
tel: +84-4-2220 8801 (Ext. 208)
e-mail: cong.nguyenthe@toshiba-tsdv.com
=====================================================================
Note: This e-mail message may contain personal information or confidential information. If you are not the addressee of this message, please delete this message and kindly notify the sender as soon as possible - do not copy, use, or disclose this message.
diff -u firebird2.1-2.1.3.18185-0.ds1/debian/changelog firebird2.1-2.1.3.18185-0.ds1/debian/changelog
--- firebird2.1-2.1.3.18185-0.ds1/debian/changelog
+++ firebird2.1-2.1.3.18185-0.ds1/debian/changelog
@@ -1,3 +1,15 @@
+firebird2.1 (2.1.3.18185-0.ds1-11+squeeze2) squeeze-lts; urgency=medium
+
+ * Non-maintainer upload.
+ * Patch for fixing CVE-2014-9323:
+ - Segfault in server caused by malformed network packet
+ See:
+ http://tracker.firebirdsql.org/browse/CORE-4630
+ Patch take from upstream:
+ http://sourceforge.net/p/firebird/code/60331
+
+ -- Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com> Sat, 27 Dec 2014 10:38:33 +0700
+
firebird2.1 (2.1.3.18185-0.ds1-11+squeeze1) stable-security; urgency=high
* Apply patch from upstream revision r57728 (unfuzzied) fixing a remote
diff -u firebird2.1-2.1.3.18185-0.ds1/debian/patches/series firebird2.1-2.1.3.18185-0.ds1/debian/patches/series
--- firebird2.1-2.1.3.18185-0.ds1/debian/patches/series
+++ firebird2.1-2.1.3.18185-0.ds1/debian/patches/series
@@ -17,0 +18 @@
+upstream/r60331-cve-2014-9323.patch
only in patch2:
unchanged:
--- firebird2.1-2.1.3.18185-0.ds1.orig/debian/patches/upstream/r60331-cve-2014-9323.patch
+++ firebird2.1-2.1.3.18185-0.ds1/debian/patches/upstream/r60331-cve-2014-9323.patch
@@ -0,0 +1,49 @@
+Description: Segfault in server caused by malformed network packet CVE-2014-9323
+ - The xdr_status_vector function in Firebird 2.5x before
+ 2.5.3 SU1 allows remote attackers to cause a denial of service
+ (NULL pointer dereference, segmentation fault, and crash)
+ via an op_response action with a non-empty status.
+Origin: Upstream
+Bug: http://tracker.firebirdsql.org/browse/CORE-4630
+Applied-Upstream: See
+ http://sourceforge.net/p/firebird/code/60331
+Last-Update: 2014-12-26
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/remote/protocol.cpp
++++ b/src/remote/protocol.cpp
+@@ -442,6 +442,8 @@ bool_t xdr_protocol(XDR* xdrs, PACKET* p
+ reinterpret_cast<SSHORT&>(response->p_resp_object));
+ MAP(xdr_quad, response->p_resp_blob_id);
+ MAP(xdr_cstring, response->p_resp_data);
++ if (!response->p_resp_status_vector) // incorrectly called - packet not prepared
++ return P_FALSE(xdrs, p);
+ return xdr_status_vector(xdrs, response->p_resp_status_vector,
+ reinterpret_cast<char**>(response->p_resp_strings))
+ ? P_TRUE(xdrs, p) : P_FALSE(xdrs, p);
+@@ -1806,6 +1808,7 @@ static bool_t xdr_status_vector(
+ TEXT **sp, **end;
+ SLONG vec;
+ XDR temp_xdrs;
++ ISC_STATUS* const vector_end = &vector[ISC_STATUS_LENGTH];
+
+ /* If this is a free operation, release any allocated strings */
+
+@@ -1817,6 +1820,8 @@ static bool_t xdr_status_vector(
+ }
+
+ while (true) {
++ if (vector >= vector_end)
++ return FALSE;
+ if (xdrs->x_op == XDR_ENCODE)
+ vec = (SLONG) * vector++;
+ if (!xdr_long(xdrs, &vec))
+@@ -1857,6 +1862,8 @@ static bool_t xdr_status_vector(
+
+ case isc_arg_number:
+ default:
++ if (vector >= vector_end)
++ return FALSE;
+ if (xdrs->x_op == XDR_ENCODE)
+ vec = (SLONG) * vector++;
+ if (!xdr_long(xdrs, &vec))
Reply to: