Package: firebird2.5-classic-common,firebird2.5-super Version: 2.5.2.26540.ds4 Severity: grave Tags: patch security upstream Justification: user security hole Forwarded: http://tracker.firebirdsql.org/browse/CORE-5474
Authenticated Firebird users are allowed to declare UDFs (user-defined functions). The default config allows using all entry points from the standard UDF library, which is dynamically linked with libc, with its symbols re-exported, including system(). Relevant upstream commits for 2.5: - https://github.com/FirebirdSQL/firebird/commit/9d9b9e0c94e201da489d1da81f858c570d3ca6ef - https://github.com/FirebirdSQL/firebird/commit/a802126cd501f641f00d6cda12d5d9ee3ecda6f5