[firebird/f20] security fix firebird CORE-4630
Philippe Makowski
makowski at fedoraproject.org
Sun Dec 7 17:33:55 UTC 2014
commit d9211a9c34ee673f5c94578ff49bb0bdf42cd569
Author: Philippe Makowski <pmakowski at espelida.com>
Date: Sun Dec 7 18:33:56 2014 +0100
security fix firebird CORE-4630
firebird.spec | 7 +++++-
firebird_fix_CORE-4630.patch | 44 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 50 insertions(+), 1 deletions(-)
---
diff --git a/firebird.spec b/firebird.spec
index f152339..017a4f7 100644
--- a/firebird.spec
+++ b/firebird.spec
@@ -6,7 +6,7 @@
Summary: SQL relational database management system
Name: firebird
Version: 2.5.2.26539.0
-Release: 9%{?dist}
+Release: 10%{?dist}
Group: Applications/Databases
License: Interbase
@@ -25,6 +25,7 @@ Source7: firebird-superserver.service
# from upstream
Patch0: firebird-2.5.2-svn-CORE-3946.patch
Patch1: firebird-2.5.2-svn-CORE-4058.patch
+Patch5: firebird_fix_CORE-4630.patch
Patch2: firebird-btyacc-fpie.patch
Patch3: firebird-aarch64.patch
@@ -168,6 +169,7 @@ Multi-process, local client libraries for Firebird SQL RDBMS
%patch1
%patch2
%patch3 -p1
+%patch5 -p0
# convert intl character to UTF-8
iconv -f ISO-8859-1 -t utf-8 -c ./doc/README.intl -o ./doc/README.intl
@@ -533,6 +535,9 @@ fi
%changelog
+* Sun Dec 7 2014 Philippe Makowski <makowski at fedoraproject.org> 2.5.2.26539.0-10
+- security fix firebird CORE-4630
+
* Thu Oct 30 2014 Philippe Makowski <makowski at fedoraproject.org> 2.5.2.26539.0-9
- Remove lib64 rpaths (#1154706)
diff --git a/firebird_fix_CORE-4630.patch b/firebird_fix_CORE-4630.patch
new file mode 100644
index 0000000..77dbe5c
--- /dev/null
+++ b/firebird_fix_CORE-4630.patch
@@ -0,0 +1,44 @@
+Index: src/remote/protocol.cpp
+===================================================================
+--- src/remote/protocol.cpp (.../R2_5_3) (revision 60338)
++++ src/remote/protocol.cpp (.../R2_5_3_Upd_1) (revision 60338)
+@@ -398,6 +398,8 @@
+ MAP(xdr_short, reinterpret_cast<SSHORT&>(response->p_resp_object));
+ MAP(xdr_quad, response->p_resp_blob_id);
+ MAP(xdr_cstring, response->p_resp_data);
++ if (!response->p_resp_status_vector) // incorrectly called - packet not prepared
++ return P_FALSE(xdrs, p);
+ return xdr_status_vector(xdrs, response->p_resp_status_vector) ?
+ P_TRUE(xdrs, p) : P_FALSE(xdrs, p);
+
+@@ -1652,9 +1654,12 @@
+
+ SLONG vec;
+ SCHAR* sp = NULL;
++ ISC_STATUS* const end = &vector[ISC_STATUS_LENGTH];
+
+ while (true)
+ {
++ if (vector >= end)
++ return FALSE;
+ if (xdrs->x_op == XDR_ENCODE)
+ vec = (SLONG) * vector++;
+ if (!xdr_long(xdrs, &vec))
+@@ -1670,6 +1675,8 @@
+ case isc_arg_interpreted:
+ case isc_arg_string:
+ case isc_arg_sql_state:
++ if (vector >= end)
++ return FALSE;
+ if (xdrs->x_op == XDR_ENCODE)
+ {
+ if (!xdr_wrapstring(xdrs, reinterpret_cast<SCHAR**>(vector++)))
+@@ -1700,6 +1707,8 @@
+
+ case isc_arg_number:
+ default:
++ if (vector >= end)
++ return FALSE;
+ if (xdrs->x_op == XDR_ENCODE)
+ vec = (SLONG) * vector++;
+ if (!xdr_long(xdrs, &vec))
More information about the scm-commits
mailing list