-=| Salvatore Bonaccorso, 18.04.2026 21:08:27 +0200 |=- > Source: firebird3.0 > Version: 3.0.13.ds7-2 > Severity: important > Tags: security upstream > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > Hi, > > The following vulnerabilities were published for firebird3.0. > > CVE-2025-65104[0]: > | Firebird is an open-source relational database management system. In > | versions FB3 of the client library placed incorrect data length > | values into XSQLDA fields when communicating with FB4 or higher > | servers, resulting in an information leak. This issue is fixed by > | upgrading to the FB4 client or higher.
Upstream fix fir FB3 is in 247ebb1288939e31021edd9bdf6892475dd6d2fd > CVE-2026-27890[1]: > | Firebird is an open-source relational database management system. In > | versions prior to 5.0.4, 4.0.7 and 3.0.14, when processing > | CNCT_specific_data segments during authentication, the server > | assumes segments arrive in strictly ascending order. If segments > | arrive out of order, the Array class's grow() method computes a > | negative size value, causing a SIGSEGV crash. An unauthenticated > | attacker who knows only the server's IP and port can exploit this to > | crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 > | and 3.0.14. Upstream fix for FB3 is in 6e937f09157a7c2aafdfebe618bc73f5f8c08067 > CVE-2026-28212[2]: > | Firebird is an open-source relational database management system. In > | versions prior to 6.0.0, 5.0.4, 4.0.7 and 3.0.14, when processing an > | op_slice network packet, the server passes an unprepared structure > | containing a null pointer to the SDL_info() function, resulting in a > | null pointer dereference and server crash. An unauthenticated > | attacker can trigger this by sending a crafted packet to the server > | port. This issue has been fixed in versions 6.0.0, 5.0.4, 4.0.7 and > | 3.0.14. Upstream fix for FB3 is in 0b4a287d136426cc2fbae2ed75f4d12d579c65bf > CVE-2026-28214[3]: > | Firebird is an open-source relational database management system. In > | versions prior to 5.0.4, 4.0.7 and 3.0.14, the > | ClumpletReader::getClumpletSize() function can overflow the > | totalLength value when parsing a Wide type clumplet, causing an > | infinite loop. An authenticated user with INSERT privileges on any > | table can exploit this via a crafted Batch Parameter Block to cause > | a denial of service against the server. This issue has been fixed in > | versions 5.0.4, 4.0.7 and 3.0.14. Upstream fix for FB3 is in 3386555d7914f30ef565a8aa152565c1deb5b563 > CVE-2026-28224[4]: > | Firebird is an open-source relational database management system. In > | versions prior to 5.0.4, 4.0.7 and 3.0.14, when the server receives > | an op_crypt_key_callback packet without prior authentication, the > | port_server_crypt_callback handler is not initialized, resulting in > | a null pointer dereference and server crash. An unauthenticated > | attacker who knows only the server's IP and port can exploit this to > | crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 > | and 3.0.14. Upstream fix for FB3 is in 323ea8ef3b87bfbfd4b1b8c3c99ae8c85ac23bfc > CVE-2026-33337[5]: > | Firebird is an open-source relational database management system. In > | versions prior to 5.0.4, 4.0.7 and 3.0.14, when deserializing a > | slice packet, the xdr_datum() function does not validate that a > | cstring length conforms to the slice descriptor bounds, allowing a > | cstring longer than the allocated buffer to overflow it. An > | unauthenticated attacker can exploit this by sending a crafted > | packet to the server, potentially causing a crash or other security > | impact. This issue has been fixed in versions 5.0.4, 4.0.7 and > | 3.0.14. Upstream fix for FB3 is in 05252e5570051f5b5c2451116e930fbe255c50a3 > CVE-2026-34232[6]: > | Firebird is an open-source relational database management system. In > | versions prior to 5.0.4, 4.0.7 and 3.0.14, the xdr_status_vector() > | function does not handle the isc_arg_cstring type when decoding an > | op_response packet, causing a server crash when one is encountered > | in the status vector. An unauthenticated attacker can exploit this > | by sending a crafted op_response packet to the server. This issue > | has been fixed in versions 5.0.4, 4.0.7 and 3.0.14. Upstream fix for FB3 is in ae05e8e518e68669a14f549ddd5ffe52085022c0 > CVE-2026-35215[7]: > | Firebird is an open-source relational database management system. In > | versions prior to 5.0.4, 4.0.7 and 3.0.14, the sdl_desc() function > | does not validate the length of a decoded SDL descriptor from a > | slice packet. A zero-length descriptor is later used to calculate > | the number of slice items, causing a division by zero. An > | unauthenticated attacker can exploit this by sending a crafted slice > | packet to crash the server. This issue has been fixed in versions > | 5.0.4, 4.0.7 and 3.0.14. Upstream fix for FB3 is in df0f95969e4db2369df84e407577a2a794b13bcb > CVE-2026-40342[8]: > | Firebird is an open-source relational database management system. In > | versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine > | plugin loader concatenates a user-supplied engine name into a > | filesystem path without filtering path separators or .. components. > | An authenticated user with CREATE FUNCTION privileges can use a > | crafted ENGINE name to load an arbitrary shared library from > | anywhere on the filesystem via path traversal. The library's > | initialization code executes immediately during loading, before > | Firebird validates the module, achieving code execution as the > | server's OS account. This issue has been fixed in versions 5.0.4, > | 4.0.7 and 3.0.14. Upstream fix for FB3 is in 001d0499dcea65318dcaf594c03b9c277cf7a5a3 -- Damyan
