Bug#773227: marked as done (unblock: firebird2.5/2.5.3.26778.ds4-5)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#773227: marked as done (unblock: firebird2.5/2.5.3.26778.ds4-5)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Mon, 15 Dec 2014 20:24:10 +0000
Message-id: <[🔎] handler.773227.D773227.14186749373403.ackdone@bugs.debian.org>
References: <1418674929.5919.8.camel@adam-barratt.org.uk> <[🔎] 20141215200742.4576.10816.reportbug@dltp>

Your message dated Mon, 15 Dec 2014 20:22:09 +0000
with message-id <1418674929.5919.8.camel@adam-barratt.org.uk>
and subject line Re: Bug#773227: unblock: firebird2.5/2.5.3.26778.ds4-5
has caused the Debian Bug report #773227,
regarding unblock: firebird2.5/2.5.3.26778.ds4-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
773227: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773227
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: firebird2.5/2.5.3.26778.ds4-5
From: Damyan Ivanov <dmn@debian.org>
Date: Mon, 15 Dec 2014 20:07:42 +0000
Message-id: <[🔎] 20141215200742.4576.10816.reportbug@dltp>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package firebird2.5

Version 2.5.3.26778.ds4-5 fixes an unauthenticated remote server crash 
(#772880). The fix is taken from upstream subversion commits.

 firebird2.5 (2.5.3.26778.ds4-5) unstable; urgency=high
 .
   * Apply patch from upstream revision 60322 fixing server crash (NULL-pointer
     dereference) with specially crafter service packet. Closes: #772880

Attached is the patch itself and debdiff since 2.5.3.26778.ds4-4 in jessie.


unblock firebird2.5/2.5.3.26778.ds4-5

Thanks,
        dam

Description: Fix unauthenticated remote crash
 Taken from upstream revision 60322
Origin: upstream; http://sourceforge.net/p/firebird/code/60322/

--- a/src/remote/protocol.cpp
+++ b/src/remote/protocol.cpp
@@ -398,6 +398,8 @@ bool_t xdr_protocol(XDR* xdrs, PACKET* p
 		MAP(xdr_short, reinterpret_cast<SSHORT&>(response->p_resp_object));
 		MAP(xdr_quad, response->p_resp_blob_id);
 		MAP(xdr_cstring, response->p_resp_data);
+		if (!response->p_resp_status_vector)	// incorrectly called - packet not prepared
+			return P_FALSE(xdrs, p);
 		return xdr_status_vector(xdrs, response->p_resp_status_vector) ?
 								 	P_TRUE(xdrs, p) : P_FALSE(xdrs, p);
 
@@ -1652,9 +1654,12 @@ static bool_t xdr_status_vector(XDR* xdr
 
 	SLONG vec;
 	SCHAR* sp = NULL;
+	ISC_STATUS* const end = &vector[ISC_STATUS_LENGTH];
 
 	while (true)
 	{
+		if (vector >= end)
+			return FALSE;
 		if (xdrs->x_op == XDR_ENCODE)
 			vec = (SLONG) * vector++;
 		if (!xdr_long(xdrs, &vec))
@@ -1670,6 +1675,8 @@ static bool_t xdr_status_vector(XDR* xdr
 		case isc_arg_interpreted:
 		case isc_arg_string:
 		case isc_arg_sql_state:
+			if (vector >= end)
+				return FALSE;
 			if (xdrs->x_op == XDR_ENCODE)
 			{
 				if (!xdr_wrapstring(xdrs, reinterpret_cast<SCHAR**>(vector++)))
@@ -1700,6 +1707,8 @@ static bool_t xdr_status_vector(XDR* xdr
 
 		case isc_arg_number:
 		default:
+			if (vector >= end)
+				return FALSE;
 			if (xdrs->x_op == XDR_ENCODE)
 				vec = (SLONG) * vector++;
 			if (!xdr_long(xdrs, &vec))

diff -Nru firebird2.5-2.5.3.26778.ds4/debian/changelog firebird2.5-2.5.3.26778.ds4/debian/changelog
--- firebird2.5-2.5.3.26778.ds4/debian/changelog	2014-11-14 23:09:51.000000000 +0200
+++ firebird2.5-2.5.3.26778.ds4/debian/changelog	2014-12-12 21:44:57.000000000 +0200
@@ -1,3 +1,10 @@
+firebird2.5 (2.5.3.26778.ds4-5) unstable; urgency=high
+
+  * Apply patch from upstream revision 60322 fixing server crash (NULL-pointer
+    dereference) with specially crafter service packet. Closes: #772880
+
+ -- Damyan Ivanov <dmn@debian.org>  Fri, 12 Dec 2014 19:38:13 +0000
+
 firebird2.5 (2.5.3.26778.ds4-4) unstable; urgency=medium
 
   * add patch from upstream adding proper support for ppc64el
diff -Nru firebird2.5-2.5.3.26778.ds4/debian/patches/series firebird2.5-2.5.3.26778.ds4/debian/patches/series
--- firebird2.5-2.5.3.26778.ds4/debian/patches/series	2014-11-13 23:09:33.000000000 +0200
+++ firebird2.5-2.5.3.26778.ds4/debian/patches/series	2014-12-09 23:41:32.000000000 +0200
@@ -14,3 +14,4 @@
 out/spelling.patch
 out/fb_guard-lock-permissions.patch
 upstream/r60194-60204-ppcel.patch
+upstream/r60322-remote-crash.patch
diff -Nru firebird2.5-2.5.3.26778.ds4/debian/patches/upstream/r60322-remote-crash.patch firebird2.5-2.5.3.26778.ds4/debian/patches/upstream/r60322-remote-crash.patch
--- firebird2.5-2.5.3.26778.ds4/debian/patches/upstream/r60322-remote-crash.patch	1970-01-01 02:00:00.000000000 +0200
+++ firebird2.5-2.5.3.26778.ds4/debian/patches/upstream/r60322-remote-crash.patch	2014-12-09 23:41:32.000000000 +0200
@@ -0,0 +1,46 @@
+Description: Fix unauthenticated remote crash
+ Taken from upstream revision 60322
+Origin: upstream; http://sourceforge.net/p/firebird/code/60322/
+
+--- a/src/remote/protocol.cpp
++++ b/src/remote/protocol.cpp
+@@ -398,6 +398,8 @@ bool_t xdr_protocol(XDR* xdrs, PACKET* p
+ 		MAP(xdr_short, reinterpret_cast<SSHORT&>(response->p_resp_object));
+ 		MAP(xdr_quad, response->p_resp_blob_id);
+ 		MAP(xdr_cstring, response->p_resp_data);
++		if (!response->p_resp_status_vector)	// incorrectly called - packet not prepared
++			return P_FALSE(xdrs, p);
+ 		return xdr_status_vector(xdrs, response->p_resp_status_vector) ?
+ 								 	P_TRUE(xdrs, p) : P_FALSE(xdrs, p);
+ 
+@@ -1652,9 +1654,12 @@ static bool_t xdr_status_vector(XDR* xdr
+ 
+ 	SLONG vec;
+ 	SCHAR* sp = NULL;
++	ISC_STATUS* const end = &vector[ISC_STATUS_LENGTH];
+ 
+ 	while (true)
+ 	{
++		if (vector >= end)
++			return FALSE;
+ 		if (xdrs->x_op == XDR_ENCODE)
+ 			vec = (SLONG) * vector++;
+ 		if (!xdr_long(xdrs, &vec))
+@@ -1670,6 +1675,8 @@ static bool_t xdr_status_vector(XDR* xdr
+ 		case isc_arg_interpreted:
+ 		case isc_arg_string:
+ 		case isc_arg_sql_state:
++			if (vector >= end)
++				return FALSE;
+ 			if (xdrs->x_op == XDR_ENCODE)
+ 			{
+ 				if (!xdr_wrapstring(xdrs, reinterpret_cast<SCHAR**>(vector++)))
+@@ -1700,6 +1707,8 @@ static bool_t xdr_status_vector(XDR* xdr
+ 
+ 		case isc_arg_number:
+ 		default:
++			if (vector >= end)
++				return FALSE;
+ 			if (xdrs->x_op == XDR_ENCODE)
+ 				vec = (SLONG) * vector++;
+ 			if (!xdr_long(xdrs, &vec))

--- End Message ---

--- Begin Message ---

To: Damyan Ivanov <dmn@debian.org>, 773227-done@bugs.debian.org

Subject: Re: Bug#773227: unblock: firebird2.5/2.5.3.26778.ds4-5

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Mon, 15 Dec 2014 20:22:09 +0000

Message-id: <1418674929.5919.8.camel@adam-barratt.org.uk>

In-reply-to: <[🔎] 20141215200742.4576.10816.reportbug@dltp>

References: <[🔎] 20141215200742.4576.10816.reportbug@dltp>
On Mon, 2014-12-15 at 20:07 +0000, Damyan Ivanov wrote:
> Please unblock package firebird2.5

-5 already migrated to testing last night. :-)

Regards,

Adam
--- End Message ---

Reply to:

References:
- Bug#773227: unblock: firebird2.5/2.5.3.26778.ds4-5
  - From: Damyan Ivanov <dmn@debian.org>

Prev by Date: Bug#773227: unblock: firebird2.5/2.5.3.26778.ds4-5
Next by Date: Bug#773227: unblock: firebird2.5/2.5.3.26778.ds4-5
Previous by thread: Bug#773227: unblock: firebird2.5/2.5.3.26778.ds4-5
Next by thread: Bug#773227: unblock: firebird2.5/2.5.3.26778.ds4-5
Index(es):
- Date
- Thread