Re: Wheezy update of firebird2.5?

[Brian May <bam@debian.org>]

Damyan Ivanov <dmn@debian.org> writes:

> -=| Antoine Beaupré, 17.04.2018 12:59:26 -0400 |=-
>> I don't quite know where to go from here. I was somewhat hoping that
>> Wheezy would be magically not vulnerable to this issue, but obviously,
>> there's something wrong here that should probably be fixed.
>
> The only fix upstream has is to disable UDFs in firebird.conf -- 
> https://salsa.debian.org/firebird-team/firebird3.0/blob/master/debian/patches/deb/cve-2017-11509.patch 
> (probebly needs adaptation for firebird2.5, but you get the idea).

The patch appears to apply fine without dramas. Attached is the debdiff
from the previous LTS release.

Just compiling it now, but don't expect any problems.

Damyan,

Assuming I have write access to the firebird2.5 respository, do you have
any objections if I push my changes (including the previous LTS release)
to the wheezy branch in the git repository?

Regards
-- 
Brian May <bam@debian.org>

diff -Nru firebird2.5-2.5.2.26540.ds4/debian/changelog firebird2.5-2.5.2.26540.ds4/debian/changelog
--- firebird2.5-2.5.2.26540.ds4/debian/changelog	2017-03-30 06:01:20.000000000 +1100
+++ firebird2.5-2.5.2.26540.ds4/debian/changelog	2018-05-07 17:39:32.000000000 +1000
@@ -1,3 +1,13 @@
+firebird2.5 (2.5.2.26540.ds4-1~deb7u4) UNRELEASED; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * Disable UDFs in firebird.conf due to a remote authenticated code execution
+    vilnerability
+    https://www.tenable.com/security/research/tra-2017-36 (CVE-2017-11509)
+    http://tracker.firebirdsql.org/browse/CORE-5518
+
+ -- Brian May <bam@debian.org>  Mon, 07 May 2018 17:39:32 +1000
+
 firebird2.5 (2.5.2.26540.ds4-1~deb7u3) wheezy-security; urgency=high
 
   * Non-maintainer upload by the LTS Security Team.
diff -Nru firebird2.5-2.5.2.26540.ds4/debian/gbp.conf firebird2.5-2.5.2.26540.ds4/debian/gbp.conf
--- firebird2.5-2.5.2.26540.ds4/debian/gbp.conf	2013-07-23 08:21:41.000000000 +1000
+++ firebird2.5-2.5.2.26540.ds4/debian/gbp.conf	2018-05-07 17:39:32.000000000 +1000
@@ -1,2 +1,2 @@
 [DEFAULT]
-debian-branch=master
+debian-branch=wheezy
diff -Nru firebird2.5-2.5.2.26540.ds4/debian/patches/CVE-2017-11509.patch firebird2.5-2.5.2.26540.ds4/debian/patches/CVE-2017-11509.patch
--- firebird2.5-2.5.2.26540.ds4/debian/patches/CVE-2017-11509.patch	1970-01-01 10:00:00.000000000 +1000
+++ firebird2.5-2.5.2.26540.ds4/debian/patches/CVE-2017-11509.patch	2018-05-07 17:39:32.000000000 +1000
@@ -0,0 +1,23 @@
+Description: disable UDFs in firebird.conf
+ UDFs can be used for remote code execution. see
+ https://www.tenable.com/security/research/tra-2017-36 (CVE-2017-11509)
+ http://tracker.firebirdsql.org/browse/CORE-5518
+Author: Damyan Ivanov <dmn@debian.org>
+Forwarded: no, because upstream doesn't consider this to be a problem
+
+Index: firebird2.5/builds/install/misc/firebird.conf.in
+===================================================================
+--- firebird2.5.orig/builds/install/misc/firebird.conf.in
++++ firebird2.5/builds/install/misc/firebird.conf.in
+@@ -137,7 +137,10 @@
+ #
+ # Type: string (special format)
+ #
+-#UdfAccess = Restrict UDF
++# Debian maintainer note: UDFs can be used for remote code execution as the
++# 'firebird' user. See https://www.tenable.com/security/research/tra-2017-36
++# (CVE-2017-11509)
++UdfAccess = None
+ 
+ 
+ # ----------------------------
diff -Nru firebird2.5-2.5.2.26540.ds4/debian/patches/series firebird2.5-2.5.2.26540.ds4/debian/patches/series
--- firebird2.5-2.5.2.26540.ds4/debian/patches/series	2017-03-30 02:09:54.000000000 +1100
+++ firebird2.5-2.5.2.26540.ds4/debian/patches/series	2018-05-07 17:39:32.000000000 +1000
@@ -19,3 +19,4 @@
 out/crash-create-db-restricted.patch
 upstream/r60322-remote-crash.patch
 CVE-2017-6369.patch
+CVE-2017-11509.patch