One more reason to upgrade to Firebird 2.5.2 : CVE-2012-5529

News via oss-sec and [pkg-firebird-general] mailing list
A denial of service flaw was found in the way the TraceManager of
Firebird, performed preparation of an empty dynamic SQL query. When the trace mode was
enabled, a remote, authenticated database user could use this flaw
to cause the Firebird server to crash with a NULL pointer dereference.

References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693210
[2] http://tracker.firebirdsql.org/browse/CORE-3884
[3] https://bugzilla.redhat.com/show_bug.cgi?id=876613

Relevant upstream patch: [4]
http://firebird.svn.sourceforge.net/viewvc/firebird?pathrev=54702&revision=54702&view=revision

What roles is user able to use?

About a month ago there was a question in Firebird (CZ) group how to find whether the user is able to use particular role or to get all roles for user.

As you probably know, a lot of stuff (almost everything) is in system catalog (system tables). The only problem is to figure out what’s the right set of parameters to use. To get all roles with users able to use it, you can use …

German translation of Firebird security article

There’s an article on the Firebird Documentation web-page about Firebird File and Metadata Security. Since this is an interesting topic to our customers, I took the time to translate it to German.

The article describes the fundamental problems in securing network connections. One of the biggest problem is key management. Since the Firebird server is usually controlled by and installed at the client’s site, you don’t have any control over it. So, theoretically, someone could always build his own Firebird server to spy on the password. But that’s only one of the problems discussed.

Many thanks to Geoff Worboys, the author of the original article, and Paul Vinkenoog for publishing it on the official web-site.

Firebird has some funny ways of handling passwords

Firebird has some funny ways of handling passwords. The maximum length of passwords that is evaluated is 8 characters. Every character after the 8th is silently ignored. That’s especially funny because the ‘default’ password for a Firebird-installation is ‘masterkey’, which has 9 characters. You can, however, successfully log in to freshly installed Firebird-servers providing the password ‘masterke’.
I’m working with Interbase and Firebird for more than four years and just now realized that when a co-worker at our company found it out while learning SQL.
The only program that I know that makes note of that is gsec, which prints a warning when setting the password to something longer than 8 characters.

http://daniel-albuschat.blogspot.com/2008/04/passwords-in-firebird.html

[ED:Daniel is working on webkit based browser named arrora ]

remember to upgrade to firebird 2.0.4 or firebird2.1

Stack-based buffer overflow in Firebird before 2.0.4, and 2.1.x before 2.1.0 RC1, might allow remote attackers to execute arbitrary code via a long username.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0467

1 2