Spencer McIntyre reports:
The FirebirdSQL server is vulnerable to a stack buffer overflow that can be
triggered when an unauthenticated user sends a specially crafted packet. The
result can lead to remote code execution as the user which runs the FirebirdSQL
Alexander Peshkov adds:
A reason is a bug when extracting a group number from the CNCT info, sent by
client. Size of received data was not checked. Bug exists from the first most
days of firebird.
The main irony here is that this group info was never used later in the code,
and therefore was cleaned up in the trunk. I.e. trunk does not require fixing.
This is fixed in snapshot builds, build numbers are 26623 for v2.5 and 18514
for v2.1. Fix available in upstream SVN repository for B2_5_Release branch
Created firebird tracking bugs for this issue
Affects: epel-all [bug 919551]
--- src/remote/inet.cpp (revision 57727)
+++ src/remote/inet.cpp (revision 57728)
@@ -1252,7 +1252,7 @@
const size_t length = id.getClumpLength();
- if (length != 0)
+ if (length <= sizeof(eff_gid) && length > 0)
eff_gid = 0;
memcpy(&eff_gid, id.getBytes(), length);
firebird-220.127.116.11539.0-2.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
firebird-18.104.22.168539.0-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
firebird-22.214.171.124539.0-3.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
firebird-126.96.36.19996.0-4.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.