Re: Wheezy update of firebird2.5?
- To: Damyan Ivanov <dmn@debian.org>, Antoine Beaupré <anarcat@orangeseeds.org>
- Cc: Chris Lamb <lamby@debian.org>, debian-lts@lists.debian.org
- Subject: Re: Wheezy update of firebird2.5?
- From: Brian May <bam@debian.org>
- Date: Tue, 08 May 2018 17:19:56 +1000
- Message-id: <[🔎] 87bmdq8vhf.fsf@silverfish.pri>
- In-reply-to: <20180417180316.gfys3fwpryc54i3r@fbd7c150-3361-11e8-8c11-5badabdd4a8d>
- References: <1522827592.3097078.1325922792.355BC213@webmail.messagingengine.com> <20180404195414.dlrwh5lofi4xroba@fbd7c150-3361-11e8-8c11-5badabdd4a8d> <874lk9wyz5.fsf@curie.anarc.at> <20180417180316.gfys3fwpryc54i3r@fbd7c150-3361-11e8-8c11-5badabdd4a8d>
Damyan Ivanov <dmn@debian.org> writes:
> -=| Antoine Beaupré, 17.04.2018 12:59:26 -0400 |=-
>> I don't quite know where to go from here. I was somewhat hoping that
>> Wheezy would be magically not vulnerable to this issue, but obviously,
>> there's something wrong here that should probably be fixed.
>
> The only fix upstream has is to disable UDFs in firebird.conf --
> https://salsa.debian.org/firebird-team/firebird3.0/blob/master/debian/patches/deb/cve-2017-11509.patch
> (probebly needs adaptation for firebird2.5, but you get the idea).
The patch appears to apply fine without dramas. Attached is the debdiff
from the previous LTS release.
Just compiling it now, but don't expect any problems.
Damyan,
Assuming I have write access to the firebird2.5 respository, do you have
any objections if I push my changes (including the previous LTS release)
to the wheezy branch in the git repository?
Regards
--
Brian May <bam@debian.org>
diff -Nru firebird2.5-2.5.2.26540.ds4/debian/changelog firebird2.5-2.5.2.26540.ds4/debian/changelog
--- firebird2.5-2.5.2.26540.ds4/debian/changelog 2017-03-30 06:01:20.000000000 +1100
+++ firebird2.5-2.5.2.26540.ds4/debian/changelog 2018-05-07 17:39:32.000000000 +1000
@@ -1,3 +1,13 @@
+firebird2.5 (2.5.2.26540.ds4-1~deb7u4) UNRELEASED; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * Disable UDFs in firebird.conf due to a remote authenticated code execution
+ vilnerability
+ https://www.tenable.com/security/research/tra-2017-36 (CVE-2017-11509)
+ http://tracker.firebirdsql.org/browse/CORE-5518
+
+ -- Brian May <bam@debian.org> Mon, 07 May 2018 17:39:32 +1000
+
firebird2.5 (2.5.2.26540.ds4-1~deb7u3) wheezy-security; urgency=high
* Non-maintainer upload by the LTS Security Team.
diff -Nru firebird2.5-2.5.2.26540.ds4/debian/gbp.conf firebird2.5-2.5.2.26540.ds4/debian/gbp.conf
--- firebird2.5-2.5.2.26540.ds4/debian/gbp.conf 2013-07-23 08:21:41.000000000 +1000
+++ firebird2.5-2.5.2.26540.ds4/debian/gbp.conf 2018-05-07 17:39:32.000000000 +1000
@@ -1,2 +1,2 @@
[DEFAULT]
-debian-branch=master
+debian-branch=wheezy
diff -Nru firebird2.5-2.5.2.26540.ds4/debian/patches/CVE-2017-11509.patch firebird2.5-2.5.2.26540.ds4/debian/patches/CVE-2017-11509.patch
--- firebird2.5-2.5.2.26540.ds4/debian/patches/CVE-2017-11509.patch 1970-01-01 10:00:00.000000000 +1000
+++ firebird2.5-2.5.2.26540.ds4/debian/patches/CVE-2017-11509.patch 2018-05-07 17:39:32.000000000 +1000
@@ -0,0 +1,23 @@
+Description: disable UDFs in firebird.conf
+ UDFs can be used for remote code execution. see
+ https://www.tenable.com/security/research/tra-2017-36 (CVE-2017-11509)
+ http://tracker.firebirdsql.org/browse/CORE-5518
+Author: Damyan Ivanov <dmn@debian.org>
+Forwarded: no, because upstream doesn't consider this to be a problem
+
+Index: firebird2.5/builds/install/misc/firebird.conf.in
+===================================================================
+--- firebird2.5.orig/builds/install/misc/firebird.conf.in
++++ firebird2.5/builds/install/misc/firebird.conf.in
+@@ -137,7 +137,10 @@
+ #
+ # Type: string (special format)
+ #
+-#UdfAccess = Restrict UDF
++# Debian maintainer note: UDFs can be used for remote code execution as the
++# 'firebird' user. See https://www.tenable.com/security/research/tra-2017-36
++# (CVE-2017-11509)
++UdfAccess = None
+
+
+ # ----------------------------
diff -Nru firebird2.5-2.5.2.26540.ds4/debian/patches/series firebird2.5-2.5.2.26540.ds4/debian/patches/series
--- firebird2.5-2.5.2.26540.ds4/debian/patches/series 2017-03-30 02:09:54.000000000 +1100
+++ firebird2.5-2.5.2.26540.ds4/debian/patches/series 2018-05-07 17:39:32.000000000 +1000
@@ -19,3 +19,4 @@
out/crash-create-db-restricted.patch
upstream/r60322-remote-crash.patch
CVE-2017-6369.patch
+CVE-2017-11509.patch
Reply to: