[firebird/f20] security fix firebird CORE-4630

Sun Dec 7 17:33:55 UTC 2014

commit d9211a9c34ee673f5c94578ff49bb0bdf42cd569
Author: Philippe Makowski <pmakowski at espelida.com>
Date:   Sun Dec 7 18:33:56 2014 +0100

    security fix firebird CORE-4630

 firebird.spec                |    7 +++++-
 firebird_fix_CORE-4630.patch |   44 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+), 1 deletions(-)
---

diff --git a/firebird.spec b/firebird.spec
index f152339..017a4f7 100644
--- a/firebird.spec
+++ b/firebird.spec
@@ -6,7 +6,7 @@
 Summary: SQL relational database management system
 Name:  firebird
 Version: 2.5.2.26539.0
-Release: 9%{?dist}
+Release: 10%{?dist}
 
 Group:  Applications/Databases
 License: Interbase
@@ -25,6 +25,7 @@ Source7: firebird-superserver.service
 # from upstream
 Patch0: firebird-2.5.2-svn-CORE-3946.patch
 Patch1: firebird-2.5.2-svn-CORE-4058.patch
+Patch5: firebird_fix_CORE-4630.patch
 
 Patch2: firebird-btyacc-fpie.patch
 Patch3: firebird-aarch64.patch
@@ -168,6 +169,7 @@ Multi-process, local client libraries for Firebird SQL RDBMS
 %patch1
 %patch2
 %patch3 -p1
+%patch5 -p0
 # convert intl character to UTF-8
 iconv -f ISO-8859-1 -t utf-8 -c ./doc/README.intl     -o ./doc/README.intl
 
@@ -533,6 +535,9 @@ fi
 
 
 %changelog
+* Sun Dec 7 2014 Philippe Makowski <makowski at fedoraproject.org> 2.5.2.26539.0-10
+- security fix firebird CORE-4630
+
 * Thu Oct 30 2014 Philippe Makowski <makowski at fedoraproject.org>  2.5.2.26539.0-9
 - Remove lib64 rpaths (#1154706)
 
diff --git a/firebird_fix_CORE-4630.patch b/firebird_fix_CORE-4630.patch
new file mode 100644
index 0000000..77dbe5c
--- /dev/null
+++ b/firebird_fix_CORE-4630.patch
@@ -0,0 +1,44 @@
+Index: src/remote/protocol.cpp
+===================================================================
+--- src/remote/protocol.cpp	(.../R2_5_3)	(revision 60338)
++++ src/remote/protocol.cpp	(.../R2_5_3_Upd_1)	(revision 60338)
+@@ -398,6 +398,8 @@
+ 		MAP(xdr_short, reinterpret_cast<SSHORT&>(response->p_resp_object));
+ 		MAP(xdr_quad, response->p_resp_blob_id);
+ 		MAP(xdr_cstring, response->p_resp_data);
++		if (!response->p_resp_status_vector)	// incorrectly called - packet not prepared
++			return P_FALSE(xdrs, p);
+ 		return xdr_status_vector(xdrs, response->p_resp_status_vector) ?
+ 								 	P_TRUE(xdrs, p) : P_FALSE(xdrs, p);
+ 
+@@ -1652,9 +1654,12 @@
+ 
+ 	SLONG vec;
+ 	SCHAR* sp = NULL;
++	ISC_STATUS* const end = &vector[ISC_STATUS_LENGTH];
+ 
+ 	while (true)
+ 	{
++		if (vector >= end)
++			return FALSE;
+ 		if (xdrs->x_op == XDR_ENCODE)
+ 			vec = (SLONG) * vector++;
+ 		if (!xdr_long(xdrs, &vec))
+@@ -1670,6 +1675,8 @@
+ 		case isc_arg_interpreted:
+ 		case isc_arg_string:
+ 		case isc_arg_sql_state:
++			if (vector >= end)
++				return FALSE;
+ 			if (xdrs->x_op == XDR_ENCODE)
+ 			{
+ 				if (!xdr_wrapstring(xdrs, reinterpret_cast<SCHAR**>(vector++)))
+@@ -1700,6 +1707,8 @@
+ 
+ 		case isc_arg_number:
+ 		default:
++			if (vector >= end)
++				return FALSE;
+ 			if (xdrs->x_op == XDR_ENCODE)
+ 				vec = (SLONG) * vector++;
+ 			if (!xdr_long(xdrs, &vec))
