Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package firebird2.5 Version 2.5.3.26778.ds4-5 fixes an unauthenticated remote server crash (#772880). The fix is taken from upstream subversion commits. firebird2.5 (2.5.3.26778.ds4-5) unstable; urgency=high . * Apply patch from upstream revision 60322 fixing server crash (NULL-pointer dereference) with specially crafter service packet. Closes: #772880 Attached is the patch itself and debdiff since 2.5.3.26778.ds4-4 in jessie. unblock firebird2.5/2.5.3.26778.ds4-5 Thanks, dam
Description: Fix unauthenticated remote crash Taken from upstream revision 60322 Origin: upstream; http://sourceforge.net/p/firebird/code/60322/ --- a/src/remote/protocol.cpp +++ b/src/remote/protocol.cpp @@ -398,6 +398,8 @@ bool_t xdr_protocol(XDR* xdrs, PACKET* p MAP(xdr_short, reinterpret_cast<SSHORT&>(response->p_resp_object)); MAP(xdr_quad, response->p_resp_blob_id); MAP(xdr_cstring, response->p_resp_data); + if (!response->p_resp_status_vector) // incorrectly called - packet not prepared + return P_FALSE(xdrs, p); return xdr_status_vector(xdrs, response->p_resp_status_vector) ? P_TRUE(xdrs, p) : P_FALSE(xdrs, p); @@ -1652,9 +1654,12 @@ static bool_t xdr_status_vector(XDR* xdr SLONG vec; SCHAR* sp = NULL; + ISC_STATUS* const end = &vector[ISC_STATUS_LENGTH]; while (true) { + if (vector >= end) + return FALSE; if (xdrs->x_op == XDR_ENCODE) vec = (SLONG) * vector++; if (!xdr_long(xdrs, &vec)) @@ -1670,6 +1675,8 @@ static bool_t xdr_status_vector(XDR* xdr case isc_arg_interpreted: case isc_arg_string: case isc_arg_sql_state: + if (vector >= end) + return FALSE; if (xdrs->x_op == XDR_ENCODE) { if (!xdr_wrapstring(xdrs, reinterpret_cast<SCHAR**>(vector++))) @@ -1700,6 +1707,8 @@ static bool_t xdr_status_vector(XDR* xdr case isc_arg_number: default: + if (vector >= end) + return FALSE; if (xdrs->x_op == XDR_ENCODE) vec = (SLONG) * vector++; if (!xdr_long(xdrs, &vec))
diff -Nru firebird2.5-2.5.3.26778.ds4/debian/changelog firebird2.5-2.5.3.26778.ds4/debian/changelog --- firebird2.5-2.5.3.26778.ds4/debian/changelog 2014-11-14 23:09:51.000000000 +0200 +++ firebird2.5-2.5.3.26778.ds4/debian/changelog 2014-12-12 21:44:57.000000000 +0200 @@ -1,3 +1,10 @@ +firebird2.5 (2.5.3.26778.ds4-5) unstable; urgency=high + + * Apply patch from upstream revision 60322 fixing server crash (NULL-pointer + dereference) with specially crafter service packet. Closes: #772880 + + -- Damyan Ivanov <d...@debian.org> Fri, 12 Dec 2014 19:38:13 +0000 + firebird2.5 (2.5.3.26778.ds4-4) unstable; urgency=medium * add patch from upstream adding proper support for ppc64el diff -Nru firebird2.5-2.5.3.26778.ds4/debian/patches/series firebird2.5-2.5.3.26778.ds4/debian/patches/series --- firebird2.5-2.5.3.26778.ds4/debian/patches/series 2014-11-13 23:09:33.000000000 +0200 +++ firebird2.5-2.5.3.26778.ds4/debian/patches/series 2014-12-09 23:41:32.000000000 +0200 @@ -14,3 +14,4 @@ out/spelling.patch out/fb_guard-lock-permissions.patch upstream/r60194-60204-ppcel.patch +upstream/r60322-remote-crash.patch diff -Nru firebird2.5-2.5.3.26778.ds4/debian/patches/upstream/r60322-remote-crash.patch firebird2.5-2.5.3.26778.ds4/debian/patches/upstream/r60322-remote-crash.patch --- firebird2.5-2.5.3.26778.ds4/debian/patches/upstream/r60322-remote-crash.patch 1970-01-01 02:00:00.000000000 +0200 +++ firebird2.5-2.5.3.26778.ds4/debian/patches/upstream/r60322-remote-crash.patch 2014-12-09 23:41:32.000000000 +0200 @@ -0,0 +1,46 @@ +Description: Fix unauthenticated remote crash + Taken from upstream revision 60322 +Origin: upstream; http://sourceforge.net/p/firebird/code/60322/ + +--- a/src/remote/protocol.cpp ++++ b/src/remote/protocol.cpp +@@ -398,6 +398,8 @@ bool_t xdr_protocol(XDR* xdrs, PACKET* p + MAP(xdr_short, reinterpret_cast<SSHORT&>(response->p_resp_object)); + MAP(xdr_quad, response->p_resp_blob_id); + MAP(xdr_cstring, response->p_resp_data); ++ if (!response->p_resp_status_vector) // incorrectly called - packet not prepared ++ return P_FALSE(xdrs, p); + return xdr_status_vector(xdrs, response->p_resp_status_vector) ? + P_TRUE(xdrs, p) : P_FALSE(xdrs, p); + +@@ -1652,9 +1654,12 @@ static bool_t xdr_status_vector(XDR* xdr + + SLONG vec; + SCHAR* sp = NULL; ++ ISC_STATUS* const end = &vector[ISC_STATUS_LENGTH]; + + while (true) + { ++ if (vector >= end) ++ return FALSE; + if (xdrs->x_op == XDR_ENCODE) + vec = (SLONG) * vector++; + if (!xdr_long(xdrs, &vec)) +@@ -1670,6 +1675,8 @@ static bool_t xdr_status_vector(XDR* xdr + case isc_arg_interpreted: + case isc_arg_string: + case isc_arg_sql_state: ++ if (vector >= end) ++ return FALSE; + if (xdrs->x_op == XDR_ENCODE) + { + if (!xdr_wrapstring(xdrs, reinterpret_cast<SCHAR**>(vector++))) +@@ -1700,6 +1707,8 @@ static bool_t xdr_status_vector(XDR* xdr + + case isc_arg_number: + default: ++ if (vector >= end) ++ return FALSE; + if (xdrs->x_op == XDR_ENCODE) + vec = (SLONG) * vector++; + if (!xdr_long(xdrs, &vec))