firebird2.5 / CVE-2017-11509

Wed, 06 Jun 2018 00:42:03 -0700 

Attached is my proposed patch for firebird2.5 in Jessie. Yes, I know
this is no-DSA, however it is an easy change to make.

I have made this change on wheezy. I plan on pushing these changes
(maybe with UNRELEASED in the changelog) to the jessie branch in the
Debian git respository, and I can also have a look at firebird 3.0 in
Stretch.
-- 
Brian May <br...@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/

commit 69946d356fc25395f6a5b8315ff095fa67989a25
Author: Brian May <br...@linuxpenguins.xyz>
Date:   Wed Jun 6 17:16:09 2018 +1000

    CVE-2017-11509 security update

diff --git a/debian/changelog b/debian/changelog
index 03c669e..f2e8ab3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+firebird2.5 (2.5.3.26778.ds4-6) jessie-security; urgency=high
+
+  * Disable UDFs in firebird.conf due to a remote authenticated code execution
+    vilnerability
+    https://www.tenable.com/security/research/tra-2017-36 (CVE-2017-11509)
+    http://tracker.firebirdsql.org/browse/CORE-5518
+
+ -- Brian May <b...@debian.org>  Wed, 06 Jun 2018 17:15:08 +1000
+
 firebird2.5 (2.5.3.26778.ds4-5) unstable; urgency=high
 
   * Apply patch from upstream revision 60322 fixing server crash (NULL-pointer
diff --git a/debian/patches/CVE-2017-11509.patch b/debian/patches/CVE-2017-11509.patch
new file mode 100644
index 0000000..bf8f159
--- /dev/null
+++ b/debian/patches/CVE-2017-11509.patch
@@ -0,0 +1,23 @@
+Description: disable UDFs in firebird.conf
+ UDFs can be used for remote code execution. see
+ https://www.tenable.com/security/research/tra-2017-36 (CVE-2017-11509)
+ http://tracker.firebirdsql.org/browse/CORE-5518
+Author: Damyan Ivanov <d...@debian.org>
+Forwarded: no, because upstream doesn't consider this to be a problem
+
+Index: firebird2.5/builds/install/misc/firebird.conf.in
+===================================================================
+--- firebird2.5.orig/builds/install/misc/firebird.conf.in
++++ firebird2.5/builds/install/misc/firebird.conf.in
+@@ -137,7 +137,10 @@
+ #
+ # Type: string (special format)
+ #
+-#UdfAccess = Restrict UDF
++# Debian maintainer note: UDFs can be used for remote code execution as the
++# 'firebird' user. See https://www.tenable.com/security/research/tra-2017-36
++# (CVE-2017-11509)
++UdfAccess = None
+ 
+ 
+ # ----------------------------
diff --git a/debian/patches/series b/debian/patches/series
index 1135b62..c6dbba7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,4 @@ out/spelling.patch
 out/fb_guard-lock-permissions.patch
 upstream/r60194-60204-ppcel.patch
 upstream/r60322-remote-crash.patch
+CVE-2017-11509.patch

Reply via email to