Re: [Firebird-devel] Security vulnerability in zlib library
31.03.2022 11:11, Mark Rotteveel wrote: A security vulnerability was found in zlib: https://nakedsecurity.sophos.com/2022/03/29/zlib-data-compressor-fixes-17-year-old-security-bug-patch-errr-now/ Will we include an updated version in the next release? I'll take care about Windows builds Regards, Vlad Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Security vulnerability in zlib library
On 4/1/22 01:30, Dimitry Sibiryakov wrote: Alex Peshkoff via Firebird-devel wrote 31.03.2022 16:08: The crash happen when a stream of definite data is tried to be compressed. IMHO, it is hard (if possible at all) to purposefully construct such stream *from* server to crash or exploit it. How long should it be? Can it be put into blob? Yes, but according to the bug description it also requires usage of Z_FIXED option which Firebird doesn't. Have a look at this - bug is already reproduced with default strategy: https://seclists.org/oss-sec/2022/q1/201 Luckily other parameters (like memlevel) are not default and such values of them are not used by firebird but you see: the range of conditions where bug can be reproduced spreads. I.e. it's definitely better to upgrade. Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Security vulnerability in zlib library
Alex Peshkoff via Firebird-devel wrote 31.03.2022 16:08: The crash happen when a stream of definite data is tried to be compressed. IMHO, it is hard (if possible at all) to purposefully construct such stream *from* server to crash or exploit it. How long should it be? Can it be put into blob? Yes, but according to the bug description it also requires usage of Z_FIXED option which Firebird doesn't. -- WBR, SD. Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Security vulnerability in zlib library
On 3/31/22 16:39, Dimitry Sibiryakov wrote: Alex Peshkoff via Firebird-devel wrote 31.03.2022 15:21: Note that the crash happen on compression so it doesn't affect Firebird security. Did not catch why - we use zlib compression on the wire (since fb3) and in gbak (since fb4). Both cases are not default but anyway not good. The crash happen when a stream of definite data is tried to be compressed. IMHO, it is hard (if possible at all) to purposefully construct such stream *from* server to crash or exploit it. How long should it be? Can it be put into blob? Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Security vulnerability in zlib library
On 2022-03-31 15:39, Dimitry Sibiryakov wrote: Alex Peshkoff via Firebird-devel wrote 31.03.2022 15:21: Note that the crash happen on compression so it doesn't affect Firebird security. Did not catch why - we use zlib compression on the wire (since fb3) and in gbak (since fb4). Both cases are not default but anyway not good. The crash happen when a stream of definite data is tried to be compressed. IMHO, it is hard (if possible at all) to purposefully construct such stream *from* server to crash or exploit it. That is a very dangerous assumption. Things people think "that is not possible to get exploited in our case" always seem to get exploited by people with sufficient motivation and drive. And even if it is not exploitable in the case of Firebird, that is not a reason not to update the dependency in a next release. It costs nearly nothing to do, and it avoids the potential for vulnerabilities, and the *perception* of being vulnerable. Mark Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Security vulnerability in zlib library
Alex Peshkoff via Firebird-devel wrote 31.03.2022 15:21: Note that the crash happen on compression so it doesn't affect Firebird security. Did not catch why - we use zlib compression on the wire (since fb3) and in gbak (since fb4). Both cases are not default but anyway not good. The crash happen when a stream of definite data is tried to be compressed. IMHO, it is hard (if possible at all) to purposefully construct such stream *from* server to crash or exploit it. -- WBR, SD. Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Security vulnerability in zlib library
On 3/31/22 16:13, Dimitry Sibiryakov wrote: Alex Peshkoff via Firebird-devel wrote 31.03.2022 15:05: On 3/31/22 11:11, Mark Rotteveel wrote: A security vulnerability was found in zlib: https://nakedsecurity.sophos.com/2022/03/29/zlib-data-compressor-fixes-17-year-old-security-bug-patch-errr-now/ Will we include an updated version in the next release? On linux that's not our problem - we always use system libz.so. On windows I think yes, we should upgrade version. Note that the crash happen on compression so it doesn't affect Firebird security. Did not catch why - we use zlib compression on the wire (since fb3) and in gbak (since fb4). Both cases are not default but anyway not good. Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Security vulnerability in zlib library
Alex Peshkoff via Firebird-devel wrote 31.03.2022 15:05: On 3/31/22 11:11, Mark Rotteveel wrote: A security vulnerability was found in zlib: https://nakedsecurity.sophos.com/2022/03/29/zlib-data-compressor-fixes-17-year-old-security-bug-patch-errr-now/ Will we include an updated version in the next release? On linux that's not our problem - we always use system libz.so. On windows I think yes, we should upgrade version. Note that the crash happen on compression so it doesn't affect Firebird security. -- WBR, SD. Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Security vulnerability in zlib library
On 3/31/22 11:11, Mark Rotteveel wrote: A security vulnerability was found in zlib: https://nakedsecurity.sophos.com/2022/03/29/zlib-data-compressor-fixes-17-year-old-security-bug-patch-errr-now/ Will we include an updated version in the next release? On linux that's not our problem - we always use system libz.so. On windows I think yes, we should upgrade version. Can people just drop in a replacement? Yes. Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
