Bug#858782: marked as done (unblock: firebird3.0/3.0.1.32609.ds4-14)

Sun, 26 Mar 2017 11:43:00 -0700 

Your message dated Sun, 26 Mar 2017 18:37:00 +0000
with message-id <[email protected]>
and subject line Re: Bug#858782: unblock: firebird3.0/3.0.1.32609.ds4-14
has caused the Debian Bug report #858782,
regarding unblock: firebird3.0/3.0.1.32609.ds4-14
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
858782: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858782
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock

Please unblock package firebird3.0

Changelog since 3.0.1.32609.ds4-13 (currently in testing):

firebird3.0 (3.0.1.32609.ds4-14) unstable; urgency=high

  * Apply commit 56e9a73c168 from upstream B3_0_Release branch
    fixing authenticated remote execution vulnerability (CVE-2017-6369,
    CORE-5474)
    Closes: #858644

Binary and source debdiffs attached.

unblock firebird3.0/3.0.1.32609.ds4-14

diff -Nru firebird3.0-3.0.1.32609.ds4/debian/changelog 
firebird3.0-3.0.1.32609.ds4/debian/changelog
--- firebird3.0-3.0.1.32609.ds4/debian/changelog        2017-01-14 
17:56:28.000000000 +0200
+++ firebird3.0-3.0.1.32609.ds4/debian/changelog        2017-03-25 
18:07:07.000000000 +0200
@@ -1,3 +1,12 @@
+firebird3.0 (3.0.1.32609.ds4-14) unstable; urgency=high
+
+  * Apply commit 56e9a73c168 from upstream B3_0_Release branch
+    fixing authenticated remote execution vulnerability (CVE-2017-6369,
+    CORE-5474)
+    Closes: #858644
+
+ -- Damyan Ivanov <[email protected]>  Sat, 25 Mar 2017 16:07:07 +0000
+
 firebird3.0 (3.0.1.32609.ds4-13) unstable; urgency=medium
 
   * Add Danish debconf translation by Joe Dalton (Closes: #850854)
diff -Nru firebird3.0-3.0.1.32609.ds4/debian/patches/series 
firebird3.0-3.0.1.32609.ds4/debian/patches/series
--- firebird3.0-3.0.1.32609.ds4/debian/patches/series   2017-01-14 
17:56:28.000000000 +0200
+++ firebird3.0-3.0.1.32609.ds4/debian/patches/series   2017-03-25 
17:54:15.000000000 +0200
@@ -1,4 +1,5 @@
 upstream/engine-unload-segfault.patch
+upstream/CORE-5474-remote-execution.patch
 out/obsolete-syslogd.target.patch
 out/honour-buildflags.patch
 out/no-copy-from-icu.patch
diff -Nru 
firebird3.0-3.0.1.32609.ds4/debian/patches/upstream/CORE-5474-remote-execution.patch
 
firebird3.0-3.0.1.32609.ds4/debian/patches/upstream/CORE-5474-remote-execution.patch
--- 
firebird3.0-3.0.1.32609.ds4/debian/patches/upstream/CORE-5474-remote-execution.patch
        1970-01-01 02:00:00.000000000 +0200
+++ 
firebird3.0-3.0.1.32609.ds4/debian/patches/upstream/CORE-5474-remote-execution.patch
        2017-03-25 17:53:40.000000000 +0200
@@ -0,0 +1,81 @@
+56e9a73c16803c3544076edb2d6c4ca25815e541 Backported fix for CORE-5474: 
'Restrict UDF' is not effective, because fbudf.so is dynamically linked against 
libc
+diff --git a/src/common/os/mod_loader.h b/src/common/os/mod_loader.h
+index b27d35630d..b57af4ac9f 100644
+--- a/src/common/os/mod_loader.h
++++ b/src/common/os/mod_loader.h
+@@ -70,23 +70,15 @@ public:
+               /// Destructor
+               virtual ~Module() {}
+ 
+-#ifdef WIN_NT
+               const Firebird::PathName fileName;
+-#endif
+ 
+       protected:
+               /// The constructor is protected so normal code can't allocate 
instances
+               /// of the class, but the class itself is still able to be 
subclassed.
+-#ifdef WIN_NT
+               Module(MemoryPool& pool, const Firebird::PathName& aFileName)
+                       : fileName(pool, aFileName)
+               {
+               }
+-#else
+-              Module()
+-              {
+-              }
+-#endif
+ 
+       private:
+               /// Copy construction is not supported, hence the copy 
constructor is private
+diff --git a/src/common/os/posix/mod_loader.cpp 
b/src/common/os/posix/mod_loader.cpp
+index a03c3065bc..2b42c59a5c 100644
+--- a/src/common/os/posix/mod_loader.cpp
++++ b/src/common/os/posix/mod_loader.cpp
+@@ -27,6 +27,7 @@
+ 
+ #include "firebird.h"
+ #include "../common/os/mod_loader.h"
++#include "../common/os/path_utils.h"
+ #ifdef HAVE_UNISTD_H
+ #include <unistd.h>
+ #endif
+@@ -39,8 +40,9 @@
+ class DlfcnModule : public ModuleLoader::Module
+ {
+ public:
+-      DlfcnModule(void* m)
+-              : module(m)
++      DlfcnModule(MemoryPool& pool, const Firebird::PathName& aFileName, 
void* m)
++              : ModuleLoader::Module(pool, aFileName),
++                module(m)
+       {}
+ 
+       ~DlfcnModule();
+@@ -104,7 +106,7 @@ ModuleLoader::Module* ModuleLoader::loadModule(const 
Firebird::PathName& modPath
+       system(command.c_str());
+ #endif
+ 
+-      return FB_NEW_POOL(*getDefaultMemoryPool()) DlfcnModule(module);
++      return FB_NEW_POOL(*getDefaultMemoryPool()) 
DlfcnModule(*getDefaultMemoryPool(), modPath, module);
+ }
+ 
+ DlfcnModule::~DlfcnModule()
+@@ -122,6 +124,18 @@ void* DlfcnModule::findSymbol(const Firebird::string& 
symName)
+ 
+               result = dlsym(module, newSym.c_str());
+       }
++
++#ifdef HAVE_DLADDR
++      if (!PathUtils::isRelative(fileName))
++      {
++              Dl_info info;
++              if (!dladdr(result, &info))
++                      return NULL;
++              if (fileName != info.dli_fname)
++                      return NULL;
++      }
++#endif
++
+       return result;
+ }
+ 

[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .changes but not in first
-----------------------------------------
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/0e/1030fbf8dc2030144882fb090405d3f7445a88.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/25/26d884a03a897414ddc119495a8272e0badc4e.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/25/4d0e1c45debc6abdbc915669347a8d5c41d2ee.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/3a/cd69f8972e1784250ad9c7ffbdfa076ec29a8f.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/43/b6efe476c4c5489438c808ceac3b3fc73a4be9.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/51/913a1b8f3d8fc3b95b1133153b3b95e1e802ed.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/a7/62efdf428daeced2f769986a9fb7b5fe758745.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/aa/c82d7c9cc832d7bbe15931e59f30bde437cd2e.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/b3/283cc5c2f69cfc0676a761be9c6e8e729e294e.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/b9/f3f652689dd0027df979dbd3b2461c02cee7ee.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/c7/9c4cb9e1327a84d73ab799f24d0f1860040abc.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/d0/8fcae651e574ab3a7765c9846e6b34d1e60a1a.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/e3/43ca492172fe1d8c426174bd2f708e956c79b6.debug

Files in first .changes but not in second
-----------------------------------------
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/07/330f263bd6a4bfaaa9e596d94a350b58465fd2.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/42/0705865d45ef8ee44df021faebd2d5dbaf367f.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/44/adc09d84064fce6502bde9515aa76575bf3e23.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/62/a96dd1bf3349d78f45438e7e70052d3a8ea272.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/71/46d417b22d8ac85fa1166611891d13bd7cf228.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/a8/a7f2bc90f8ca9c004cfdda82cff99f1365de1a.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/b5/6ff25a3b0eac3ef301a647477f6ef8ab74952a.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/c2/c6ee2e36a33063945824150c9b470e3effe8b6.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/c8/67e4ea4ebddc6efebc80de017059a697d7cd25.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/d4/d2c2d252df9afb1945846af9f2d00a5c58b0a1.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/e7/61857bfe340da61e0253c327513ce8eb7b0f9f.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/f3/7662896c4906590aa01b71d7a4278c94b24c9e.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/fb/cd2c875f651cdfd245659faa007db69d81685a.debug

Control files of package firebird-dev: lines which differ (wdiff format)
------------------------------------------------------------------------
Depends: libfbclient2 (>= [-3.0.1.32609.ds4-13),-] {+3.0.1.32609.ds4-14),+} 
libib-util (>= [-3.0.1.32609.ds4-13),-] {+3.0.1.32609.ds4-14),+} 
firebird3.0-common-doc (= [-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}

Control files of package firebird3.0-common: lines which differ (wdiff format)
------------------------------------------------------------------------------
Depends: firebird3.0-common-doc (= [-3.0.1.32609.ds4-13)-] 
{+3.0.1.32609.ds4-14)+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}

Control files of package firebird3.0-common-doc: lines which differ (wdiff 
format)
----------------------------------------------------------------------------------
Installed-Size: [-178-] {+179+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}

Control files of package firebird3.0-doc: lines which differ (wdiff format)
---------------------------------------------------------------------------
Depends: firebird3.0-common-doc (= [-3.0.1.32609.ds4-13)-] 
{+3.0.1.32609.ds4-14)+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}

Control files of package firebird3.0-examples: lines which differ (wdiff format)
--------------------------------------------------------------------------------
Depends: firebird3.0-common-doc (= [-3.0.1.32609.ds4-13)-] 
{+3.0.1.32609.ds4-14)+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}

Control files of package firebird3.0-server: lines which differ (wdiff format)
------------------------------------------------------------------------------
Depends: adduser, libc6 (>= 2.17), libfbclient2 (>= 
3.0.0~svn20110219r52404.ds3), libgcc1 (>= 1:3.0), libncurses5 (>= 6), 
libstdc++6 (>= 4.1.1), libtinfo5 (>= 6), libtommath1, firebird3.0-common (= 
[-3.0.1.32609.ds4-13),-] {+3.0.1.32609.ds4-14),+} firebird3.0-server-core (= 
[-3.0.1.32609.ds4-13),-] {+3.0.1.32609.ds4-14),+} firebird3.0-utils (= 
[-3.0.1.32609.ds4-13),-] {+3.0.1.32609.ds4-14),+} lsb-base (>= 3.0-6), debconf 
(>= 1.4.69), init-system-helpers (>= 1.18~), firebird3.0-common-doc (= 
[-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}

Control files of package firebird3.0-server-core: lines which differ (wdiff 
format)
-----------------------------------------------------------------------------------
Depends: libc6 (>= 2.17), libfbclient2 (>= 3.0.0~svn20110219r52404.ds3), 
libgcc1 (>= 1:3.0), libib-util (>= 2.5.0.23247~Beta1.ds2), libncurses5 (>= 6), 
libstdc++6 (>= 4.1.1), libtinfo5 (>= 6), libtommath1, firebird3.0-common (= 
[-3.0.1.32609.ds4-13),-] {+3.0.1.32609.ds4-14),+} firebird3.0-common-doc (= 
[-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Installed-Size: [-9434-] {+9438+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}

Control files of package firebird3.0-server-core-dbgsym: lines which differ 
(wdiff format)
------------------------------------------------------------------------------------------
Build-Ids: [-07330f263bd6a4bfaaa9e596d94a350b58465fd2-] 
{+2526d884a03a897414ddc119495a8272e0badc4e+} 
3359b2dd874e8f2e71e45d725bfab92bec11d1b7 
{+51913a1b8f3d8fc3b95b1133153b3b95e1e802ed+} 
5cf6ce74c1c61eb719ea59d1adcf674e41162067 
[-62a96dd1bf3349d78f45438e7e70052d3a8ea272-] 
7986b79b8482b25799ae5979ccf04e268eaf47f0 
[-c2c6ee2e36a33063945824150c9b470e3effe8b6 
e761857bfe340da61e0253c327513ce8eb7b0f9f 
f37662896c4906590aa01b71d7a4278c94b24c9e 
fbcd2c875f651cdfd245659faa007db69d81685a-] 
{+a762efdf428daeced2f769986a9fb7b5fe758745 
aac82d7c9cc832d7bbe15931e59f30bde437cd2e 
c79c4cb9e1327a84d73ab799f24d0f1860040abc 
e343ca492172fe1d8c426174bd2f708e956c79b6+}
Depends: firebird3.0-server-core (= [-3.0.1.32609.ds4-13)-] 
{+3.0.1.32609.ds4-14)+}
Installed-Size: [-46624-] {+46631+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}

Control files of package firebird3.0-server-dbgsym: lines which differ (wdiff 
format)
-------------------------------------------------------------------------------------
Build-Ids: 104955183697b0906380698ae585af83082b0f65 
[-a8a7f2bc90f8ca9c004cfdda82cff99f1365de1a 
c867e4ea4ebddc6efebc80de017059a697d7cd25-] 
{+3acd69f8972e1784250ad9c7ffbdfa076ec29a8f 
d08fcae651e574ab3a7765c9846e6b34d1e60a1a+} 
ffcfa0b3b83b7b300ad7375331c8f164229588f6
Depends: firebird3.0-server (= [-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Installed-Size: [-5739-] {+5742+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}

Control files of package firebird3.0-utils: lines which differ (wdiff format)
-----------------------------------------------------------------------------
Depends: libc6 (>= 2.17), libedit2 (>= 2.11-20080614), libfbclient2 (>= 
3.0.0~svn20110219r52404.ds3), libgcc1 (>= 1:3.0), libncurses5 (>= 6), 
libstdc++6 (>= 4.1.1), libtinfo5 (>= 6), libtommath1, firebird3.0-common (= 
[-3.0.1.32609.ds4-13),-] {+3.0.1.32609.ds4-14),+} firebird3.0-common-doc (= 
[-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}

Control files of package firebird3.0-utils-dbgsym: lines which differ (wdiff 
format)
------------------------------------------------------------------------------------
Build-Ids: [-44adc09d84064fce6502bde9515aa76575bf3e23-] 
{+0e1030fbf8dc2030144882fb090405d3f7445a88 
254d0e1c45debc6abdbc915669347a8d5c41d2ee 
43b6efe476c4c5489438c808ceac3b3fc73a4be9+} 
6a2a5fff04a1340e3917572e49bc6e6bda296c9e 
[-7146d417b22d8ac85fa1166611891d13bd7cf228-] 
a0bc7dfe3c6ba175ce9df5db3c5ae98049ee2a6c 
[-b56ff25a3b0eac3ef301a647477f6ef8ab74952a-] 
{+b3283cc5c2f69cfc0676a761be9c6e8e729e294e+} 
d2d1f584022944f85e91e0c8118130c0597fa44c 
[-d4d2c2d252df9afb1945846af9f2d00a5c58b0a1-] 
d5cdce411d259abb900d2810dcec7c3b7c83d1d5
Depends: firebird3.0-utils (= [-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Installed-Size: [-11490-] {+11492+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}

Control files of package libfbclient2: lines which differ (wdiff format)
------------------------------------------------------------------------
Depends: libc6 (>= 2.17), libgcc1 (>= 1:3.0), libncurses5 (>= 6), libstdc++6 
(>= 4.1.1), libtinfo5 (>= 6), libtommath1, firebird3.0-common (= 
[-3.0.1.32609.ds4-13),-] {+3.0.1.32609.ds4-14),+} firebird3.0-common-doc (= 
[-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}

Control files of package libfbclient2-dbgsym: lines which differ (wdiff format)
-------------------------------------------------------------------------------
Build-Ids: [-420705865d45ef8ee44df021faebd2d5dbaf367f-] 
{+b9f3f652689dd0027df979dbd3b2461c02cee7ee+}
Depends: libfbclient2 (= [-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Installed-Size: [-5611-] {+5613+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}

Control files of package libib-util: lines which differ (wdiff format)
----------------------------------------------------------------------
Depends: libc6 (>= 2.2.5), libgcc1 (>= 1:3.0), libstdc++6 (>= 4.1.1), 
firebird3.0-common-doc (= [-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}

Control files of package libib-util-dbgsym: lines which differ (wdiff format)
-----------------------------------------------------------------------------
Depends: libib-util (= [-3.0.1.32609.ds4-13)-] {+3.0.1.32609.ds4-14)+}
Version: [-3.0.1.32609.ds4-13-] {+3.0.1.32609.ds4-14+}

--- End Message ---
--- Begin Message --- 
Damyan Ivanov:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
> 
> Please unblock package firebird3.0
> 
> Changelog since 3.0.1.32609.ds4-13 (currently in testing):
> 
> firebird3.0 (3.0.1.32609.ds4-14) unstable; urgency=high
> 
>   * Apply commit 56e9a73c168 from upstream B3_0_Release branch
>     fixing authenticated remote execution vulnerability (CVE-2017-6369,
>     CORE-5474)
>     Closes: #858644
> 
> Binary and source debdiffs attached.
> 
> unblock firebird3.0/3.0.1.32609.ds4-14
> 

Unblocked, thanks.

~Niels

--- End Message ---

Reply via email to