Gentoo Archives: gentoo-announce

From: Pierre-Yves Rofes <py@g.o>
To: gentoo-announce@l.g.o
Cc: full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200712-06 ] Firebird: Multiple buffer overflows
Date: Sun, 09 Dec 2007 21:42:26
Message-Id: 475C5DC1.7030805@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Gentoo Linux Security Advisory GLSA 200712-06
6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 http://security.gentoo.org/
8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10 Severity: Normal
11 Title: Firebird: Multiple buffer overflows
12 Date: December 09, 2007
13 Bugs: #195569
14 ID: 200712-06
15
16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18 Synopsis
19 ========
20
21 Multiple stack-based buffer overflows were discovered in Firebird.
22
23 Background
24 ==========
25
26 Firebird is a multi-platfrom, open source relational database.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 dev-db/firebird < 2.0.3.12981.0-r2 >= 2.0.3.12981.0-r2
35
36 Description
37 ===========
38
39 Adriano Lima and Ramon de Carvalho Valle reported that functions
40 isc_attach_database() and isc_create_database() do not perform proper
41 boundary checking when processing their input.
42
43 Impact
44 ======
45
46 A remote attacker could send specially crafted requests to the Firebird
47 server on TCP port 3050, possibly resulting in the execution of
48 arbitrary code with the privileges of the user running Firebird
49 (usually firebird).
50
51 Workaround
52 ==========
53
54 There is no known workaround at this time.
55
56 Resolution
57 ==========
58
59 All Firebird users should upgrade to the latest version:
60
61 # emerge --sync
62 # emerge --ask --oneshot --verbose ">=dev-db/firebird-2.0.3.12981.0-r2"
63
64 References
65 ==========
66
67 [ 1 ] CVE-2007-4992
68 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4992
69 [ 2 ] CVE-2007-5246
70 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5246
71
72 Availability
73 ============
74
75 This GLSA and any updates to it are available for viewing at
76 the Gentoo Security Website:
77
78 http://security.gentoo.org/glsa/glsa-200712-06.xml
79
80 Concerns?
81 =========
82
83 Security is a primary focus of Gentoo Linux and ensuring the
84 confidentiality and security of our users machines is of utmost
85 importance to us. Any security concerns should be addressed to
86 security@g.o or alternatively, you may file a bug at
87 http://bugs.gentoo.org.
88
89 License
90 =======
91
92 Copyright 2007 Gentoo Foundation, Inc; referenced text
93 belongs to its owner(s).
94
95 The contents of this document are licensed under the
96 Creative Commons - Attribution / Share Alike license.
97
98 http://creativecommons.org/licenses/by-sa/2.5
99 -----BEGIN PGP SIGNATURE-----
100 Version: GnuPG v1.4.7 (GNU/Linux)
101 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
102
103 iD8DBQFHXF3AuhJ+ozIKI5gRAl0UAJ9ETvKwOPzQxrqpbfprqOA38ajBuwCfXDNa
104 DHwkoQkDC/9Gq+ZJ/OR53Eo=
105 =TjeC
106 -----END PGP SIGNATURE-----
107 --
108 gentoo-announce@g.o mailing list