Bug#773227: unblock: firebird2.5/2.5.3.26778.ds4-5

Mon, 15 Dec 2014 12:10:02 -0800 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package firebird2.5

Version 2.5.3.26778.ds4-5 fixes an unauthenticated remote server crash 
(#772880). The fix is taken from upstream subversion commits.

 firebird2.5 (2.5.3.26778.ds4-5) unstable; urgency=high
 .
   * Apply patch from upstream revision 60322 fixing server crash (NULL-pointer
     dereference) with specially crafter service packet. Closes: #772880

Attached is the patch itself and debdiff since 2.5.3.26778.ds4-4 in jessie.


unblock firebird2.5/2.5.3.26778.ds4-5

Thanks,
        dam

Description: Fix unauthenticated remote crash
 Taken from upstream revision 60322
Origin: upstream; http://sourceforge.net/p/firebird/code/60322/

--- a/src/remote/protocol.cpp
+++ b/src/remote/protocol.cpp
@@ -398,6 +398,8 @@ bool_t xdr_protocol(XDR* xdrs, PACKET* p
 		MAP(xdr_short, reinterpret_cast<SSHORT&>(response->p_resp_object));
 		MAP(xdr_quad, response->p_resp_blob_id);
 		MAP(xdr_cstring, response->p_resp_data);
+		if (!response->p_resp_status_vector)	// incorrectly called - packet not prepared
+			return P_FALSE(xdrs, p);
 		return xdr_status_vector(xdrs, response->p_resp_status_vector) ?
 								 	P_TRUE(xdrs, p) : P_FALSE(xdrs, p);
 
@@ -1652,9 +1654,12 @@ static bool_t xdr_status_vector(XDR* xdr
 
 	SLONG vec;
 	SCHAR* sp = NULL;
+	ISC_STATUS* const end = &vector[ISC_STATUS_LENGTH];
 
 	while (true)
 	{
+		if (vector >= end)
+			return FALSE;
 		if (xdrs->x_op == XDR_ENCODE)
 			vec = (SLONG) * vector++;
 		if (!xdr_long(xdrs, &vec))
@@ -1670,6 +1675,8 @@ static bool_t xdr_status_vector(XDR* xdr
 		case isc_arg_interpreted:
 		case isc_arg_string:
 		case isc_arg_sql_state:
+			if (vector >= end)
+				return FALSE;
 			if (xdrs->x_op == XDR_ENCODE)
 			{
 				if (!xdr_wrapstring(xdrs, reinterpret_cast<SCHAR**>(vector++)))
@@ -1700,6 +1707,8 @@ static bool_t xdr_status_vector(XDR* xdr
 
 		case isc_arg_number:
 		default:
+			if (vector >= end)
+				return FALSE;
 			if (xdrs->x_op == XDR_ENCODE)
 				vec = (SLONG) * vector++;
 			if (!xdr_long(xdrs, &vec))

diff -Nru firebird2.5-2.5.3.26778.ds4/debian/changelog firebird2.5-2.5.3.26778.ds4/debian/changelog
--- firebird2.5-2.5.3.26778.ds4/debian/changelog	2014-11-14 23:09:51.000000000 +0200
+++ firebird2.5-2.5.3.26778.ds4/debian/changelog	2014-12-12 21:44:57.000000000 +0200
@@ -1,3 +1,10 @@
+firebird2.5 (2.5.3.26778.ds4-5) unstable; urgency=high
+
+  * Apply patch from upstream revision 60322 fixing server crash (NULL-pointer
+    dereference) with specially crafter service packet. Closes: #772880
+
+ -- Damyan Ivanov <d...@debian.org>  Fri, 12 Dec 2014 19:38:13 +0000
+
 firebird2.5 (2.5.3.26778.ds4-4) unstable; urgency=medium
 
   * add patch from upstream adding proper support for ppc64el
diff -Nru firebird2.5-2.5.3.26778.ds4/debian/patches/series firebird2.5-2.5.3.26778.ds4/debian/patches/series
--- firebird2.5-2.5.3.26778.ds4/debian/patches/series	2014-11-13 23:09:33.000000000 +0200
+++ firebird2.5-2.5.3.26778.ds4/debian/patches/series	2014-12-09 23:41:32.000000000 +0200
@@ -14,3 +14,4 @@
 out/spelling.patch
 out/fb_guard-lock-permissions.patch
 upstream/r60194-60204-ppcel.patch
+upstream/r60322-remote-crash.patch
diff -Nru firebird2.5-2.5.3.26778.ds4/debian/patches/upstream/r60322-remote-crash.patch firebird2.5-2.5.3.26778.ds4/debian/patches/upstream/r60322-remote-crash.patch
--- firebird2.5-2.5.3.26778.ds4/debian/patches/upstream/r60322-remote-crash.patch	1970-01-01 02:00:00.000000000 +0200
+++ firebird2.5-2.5.3.26778.ds4/debian/patches/upstream/r60322-remote-crash.patch	2014-12-09 23:41:32.000000000 +0200
@@ -0,0 +1,46 @@
+Description: Fix unauthenticated remote crash
+ Taken from upstream revision 60322
+Origin: upstream; http://sourceforge.net/p/firebird/code/60322/
+
+--- a/src/remote/protocol.cpp
++++ b/src/remote/protocol.cpp
+@@ -398,6 +398,8 @@ bool_t xdr_protocol(XDR* xdrs, PACKET* p
+ 		MAP(xdr_short, reinterpret_cast<SSHORT&>(response->p_resp_object));
+ 		MAP(xdr_quad, response->p_resp_blob_id);
+ 		MAP(xdr_cstring, response->p_resp_data);
++		if (!response->p_resp_status_vector)	// incorrectly called - packet not prepared
++			return P_FALSE(xdrs, p);
+ 		return xdr_status_vector(xdrs, response->p_resp_status_vector) ?
+ 								 	P_TRUE(xdrs, p) : P_FALSE(xdrs, p);
+ 
+@@ -1652,9 +1654,12 @@ static bool_t xdr_status_vector(XDR* xdr
+ 
+ 	SLONG vec;
+ 	SCHAR* sp = NULL;
++	ISC_STATUS* const end = &vector[ISC_STATUS_LENGTH];
+ 
+ 	while (true)
+ 	{
++		if (vector >= end)
++			return FALSE;
+ 		if (xdrs->x_op == XDR_ENCODE)
+ 			vec = (SLONG) * vector++;
+ 		if (!xdr_long(xdrs, &vec))
+@@ -1670,6 +1675,8 @@ static bool_t xdr_status_vector(XDR* xdr
+ 		case isc_arg_interpreted:
+ 		case isc_arg_string:
+ 		case isc_arg_sql_state:
++			if (vector >= end)
++				return FALSE;
+ 			if (xdrs->x_op == XDR_ENCODE)
+ 			{
+ 				if (!xdr_wrapstring(xdrs, reinterpret_cast<SCHAR**>(vector++)))
+@@ -1700,6 +1707,8 @@ static bool_t xdr_status_vector(XDR* xdr
+ 
+ 		case isc_arg_number:
+ 		default:
++			if (vector >= end)
++				return FALSE;
+ 			if (xdrs->x_op == XDR_ENCODE)
+ 				vec = (SLONG) * vector++;
+ 			if (!xdr_long(xdrs, &vec))

Reply via email to