On 2022-03-31 15:39, Dimitry Sibiryakov wrote:
Alex Peshkoff via Firebird-devel wrote 31.03.2022 15:21:
Note that the crash happen on compression so it doesn't affect
Firebird security.
Did not catch why - we use zlib compression on the wire (since fb3)
and in gbak (since fb4). Both cases are not default but anyway not
good.
The crash happen when a stream of definite data is tried to be
compressed. IMHO, it is hard (if possible at all) to purposefully
construct such stream *from* server to crash or exploit it.
That is a very dangerous assumption. Things people think "that is not
possible to get exploited in our case" always seem to get exploited by
people with sufficient motivation and drive. And even if it is not
exploitable in the case of Firebird, that is not a reason not to update
the dependency in a next release. It costs nearly nothing to do, and it
avoids the potential for vulnerabilities, and the *perception* of being
vulnerable.
Mark
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
