-=| Salvatore Bonaccorso, 18.04.2026 21:05:33 +0200 |=- > Source: firebird4.0 > Version: 4.0.6.3221.ds6-2 > Severity: important > Tags: security upstream > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > Hi, > > The following vulnerabilities were published for firebird4.0. > > CVE-2026-27890[0]: > | Firebird is an open-source relational database management system. In > | versions prior to 5.0.4, 4.0.7 and 3.0.14, when processing > | CNCT_specific_data segments during authentication, the server > | assumes segments arrive in strictly ascending order. If segments > | arrive out of order, the Array class's grow() method computes a > | negative size value, causing a SIGSEGV crash. An unauthenticated > | attacker who knows only the server's IP and port can exploit this to > | crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 > | and 3.0.14.
Upstream fox for FB4 is in 1b087869214808cb878a9f3a37b0c6f348426e76 > CVE-2026-28212[1]: > | Firebird is an open-source relational database management system. In > | versions prior to 6.0.0, 5.0.4, 4.0.7 and 3.0.14, when processing an > | op_slice network packet, the server passes an unprepared structure > | containing a null pointer to the SDL_info() function, resulting in a > | null pointer dereference and server crash. An unauthenticated > | attacker can trigger this by sending a crafted packet to the server > | port. This issue has been fixed in versions 6.0.0, 5.0.4, 4.0.7 and > | 3.0.14. Upstream fix for FB4 is in 8a44b0bb6c478849ef9b2a5c1c2ee32c5d8a16ab > CVE-2026-28214[2]: > | Firebird is an open-source relational database management system. In > | versions prior to 5.0.4, 4.0.7 and 3.0.14, the > | ClumpletReader::getClumpletSize() function can overflow the > | totalLength value when parsing a Wide type clumplet, causing an > | infinite loop. An authenticated user with INSERT privileges on any > | table can exploit this via a crafted Batch Parameter Block to cause > | a denial of service against the server. This issue has been fixed in > | versions 5.0.4, 4.0.7 and 3.0.14. Upstream fix for FB4 is in fa0c0b24bd1255459a37fd764c367276160a69dd > CVE-2026-28224[3]: > | Firebird is an open-source relational database management system. In > | versions prior to 5.0.4, 4.0.7 and 3.0.14, when the server receives > | an op_crypt_key_callback packet without prior authentication, the > | port_server_crypt_callback handler is not initialized, resulting in > | a null pointer dereference and server crash. An unauthenticated > | attacker who knows only the server's IP and port can exploit this to > | crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 > | and 3.0.14. Upstream fix for FB4 is in 6b0fe283e66780d1d4044e28da71f02584fbcef4 > CVE-2026-33337[4]: > | Firebird is an open-source relational database management system. In > | versions prior to 5.0.4, 4.0.7 and 3.0.14, when deserializing a > | slice packet, the xdr_datum() function does not validate that a > | cstring length conforms to the slice descriptor bounds, allowing a > | cstring longer than the allocated buffer to overflow it. An > | unauthenticated attacker can exploit this by sending a crafted > | packet to the server, potentially causing a crash or other security > | impact. This issue has been fixed in versions 5.0.4, 4.0.7 and > | 3.0.14. Upstream fix for FB4 is in 39a488a8ab5bfd1aa6f541da6af016b16f63ce3b > CVE-2026-34232[5]: > | Firebird is an open-source relational database management system. In > | versions prior to 5.0.4, 4.0.7 and 3.0.14, the xdr_status_vector() > | function does not handle the isc_arg_cstring type when decoding an > | op_response packet, causing a server crash when one is encountered > | in the status vector. An unauthenticated attacker can exploit this > | by sending a crafted op_response packet to the server. This issue > | has been fixed in versions 5.0.4, 4.0.7 and 3.0.14. Upstream fix for FB4 is in fec84c242e725256441721ad8f7f77a6dd05a7bf > CVE-2026-35215[6]: > | Firebird is an open-source relational database management system. In > | versions prior to 5.0.4, 4.0.7 and 3.0.14, the sdl_desc() function > | does not validate the length of a decoded SDL descriptor from a > | slice packet. A zero-length descriptor is later used to calculate > | the number of slice items, causing a division by zero. An > | unauthenticated attacker can exploit this by sending a crafted slice > | packet to crash the server. This issue has been fixed in versions > | 5.0.4, 4.0.7 and 3.0.14. Upstream fix for FB4 is in 8f3ae23aa6892cf4e732894b742eb7932a3250b7 > CVE-2026-40342[7]: > | Firebird is an open-source relational database management system. In > | versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine > | plugin loader concatenates a user-supplied engine name into a > | filesystem path without filtering path separators or .. components. > | An authenticated user with CREATE FUNCTION privileges can use a > | crafted ENGINE name to load an arbitrary shared library from > | anywhere on the filesystem via path traversal. The library's > | initialization code executes immediately during loading, before > | Firebird validates the module, achieving code execution as the > | server's OS account. This issue has been fixed in versions 5.0.4, > | 4.0.7 and 3.0.14. Upstream fix for FB4 is in 1a106229c354f23310d3cff956336553164522d6 -- Damyan
