Bug 1172445 (CVE-2014-9323)

Summary: CVE-2014-9323 firebird: malformed network packet can cause denial of service
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, jrusnack, makowski.fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: firebird 2.1.7, firebird 2.5.3SU1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-31 20:35:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1172446, 1172447    
Bug Blocks:    

Description Vincent Danen 2014-12-10 04:52:46 UTC 
It was found that an unauthenticated remote attacker could send a malformed network packet to a firebird server, which would cause the server to crash.

http://www.firebirdsql.org/en/news/security-updates-for-v2-1-and-v2-5-series-66011/
http://tracker.firebirdsql.org/browse/CORE-4630
http://sourceforge.net/p/firebird/code/60331/
Comment 1 Vincent Danen 2014-12-10 04:53:03 UTC 
Created firebird tracking bugs for this issue:

Affects: fedora-all [bug 1172446]
Affects: epel-all [bug 1172447]
Comment 2 Vincent Danen 2014-12-10 04:56:00 UTC 
Note that the Mageia bug tracker has further information of interest particularly for testing:

https://bugs.mageia.org/show_bug.cgi?id=14726

CVE request:

http://www.openwall.com/lists/oss-security/2014/12/10/4
Comment 3 Philippe Makowski 2014-12-10 10:02:07 UTC 
A CVE request have been done by upstream, but no ID yet

Updates are allready submitted :

https://admin.fedoraproject.org/updates/firebird-2.5.2.26539.0-14.fc21
https://admin.fedoraproject.org/updates/firebird-2.5.2.26539.0-10.fc20
https://admin.fedoraproject.org/updates/firebird-2.1.5.18496.0-5.el5
https://admin.fedoraproject.org/updates/firebird-2.5.3.26778.0-2.el6
https://admin.fedoraproject.org/updates/firebird-2.5.3.26778.0-2.el7
Comment 4 Fedora Update System 2014-12-20 08:40:57 UTC 
firebird-2.5.2.26539.0-14.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-12-20 08:49:42 UTC 
firebird-2.5.2.26539.0-10.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-12-26 19:47:27 UTC 
firebird-2.5.3.26778.0-2.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-12-26 19:47:56 UTC 
firebird-2.1.5.18496.0-5.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-12-26 19:49:49 UTC 
firebird-2.5.3.26778.0-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.