[firebird/el5] security fix firebird CORE-4630

Philippe Makowski makowski at fedoraproject.org
Sun Dec 7 17:58:45 UTC 2014 

commit 5a4b428ab74a26a91cb6e20d670ec4ff80cb23b8
Author: Philippe Makowski <pmakowski at espelida.com>
Date:   Sun Dec 7 18:58:23 2014 +0100

    security fix firebird CORE-4630

 firebird.spec                |    8 +++++-
 firebird_fix_CORE-4630.patch |   44 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+), 2 deletions(-)
---
diff --git a/firebird.spec b/firebird.spec
index a0eef79..36a5099 100644
--- a/firebird.spec
+++ b/firebird.spec
@@ -6,7 +6,7 @@
 Summary:	SQL relational database management system
 Name:		firebird
 Version:	2.1.5.18496.0
-Release:	4%{?dist}
+Release:	5%{?dist}
 
 Group:		Applications/Databases
 License:	Interbase
@@ -21,7 +21,7 @@ Patch0:		firebird-mcpu-to-mtune.patch
 Patch2:		firebird-fix-initscript.patch
 Patch3:		firebird_lock-file-location.patch
 Patch4:		firebird-2.1.6-svn-CORE-4058.patch
-
+Patch5:		firebird_fix_CORE-4630.patch
 
 BuildRequires:	autoconf
 BuildRequires:	automake
@@ -130,6 +130,7 @@ iconv	-f	ISO-8859-1	-t	utf-8	-c	./doc/README.intl					-o	./doc/README.intl
 %patch0
 %patch3
 %patch4
+%patch5 -p0
 
 %build
 
@@ -535,6 +536,9 @@ fi
 
 
 %changelog
+* Sun Dec 7 2014 Philippe Makowski <makowski at fedoraproject.org> 2.1.5.18496.0-5
+- security fix firebird CORE-4630
+
 * Sun Mar 10 2013 Philippe Makowski <makowski at fedoraproject.org>  2.1.5.18496.0-4
 - added patch from upstream to fix Firebird CORE-4058 CVE-2013-2492
 
diff --git a/firebird_fix_CORE-4630.patch b/firebird_fix_CORE-4630.patch
new file mode 100644
index 0000000..a77a592
--- /dev/null
+++ b/firebird_fix_CORE-4630.patch
@@ -0,0 +1,44 @@
+Index: src/remote/protocol.cpp
+===================================================================
+--- src/remote/protocol.cpp	(.../R2_1_6)	(révision 60344)
++++ src/remote/protocol.cpp	(.../R2_1_7)	(révision 60344)
+@@ -442,6 +442,8 @@
+ 			reinterpret_cast<SSHORT&>(response->p_resp_object));
+ 		MAP(xdr_quad, response->p_resp_blob_id);
+ 		MAP(xdr_cstring, response->p_resp_data);
++		if (!response->p_resp_status_vector)	// incorrectly called - packet not prepared
++			return P_FALSE(xdrs, p);
+ 		return xdr_status_vector(xdrs, response->p_resp_status_vector,
+ 								 reinterpret_cast<char**>(response->p_resp_strings))
+ 								 ? P_TRUE(xdrs, p) : P_FALSE(xdrs, p);
+@@ -1832,7 +1834,11 @@
+ 		return TRUE;
+ 	}
+ 
++	ISC_STATUS* const vec_end = &vector[ISC_STATUS_LENGTH];
++
+ 	while (true) {
++		if (vector >= vec_end)
++			return FALSE;
+ 		if (xdrs->x_op == XDR_ENCODE)
+ 			vec = (SLONG) * vector++;
+ 		if (!xdr_long(xdrs, &vec))
+@@ -1845,6 +1851,8 @@
+ 
+ 		case isc_arg_interpreted:
+ 		case isc_arg_string:
++			if (vector >= vec_end)
++				return FALSE;
+ 			if (xdrs->x_op == XDR_ENCODE) {
+ 				if (!xdr_wrapstring(xdrs, reinterpret_cast<SCHAR**>(vector++)))
+ 					return FALSE;
+@@ -1873,6 +1881,8 @@
+ 
+ 		case isc_arg_number:
+ 		default:
++			if (vector >= vec_end)
++				return FALSE;
+ 			if (xdrs->x_op == XDR_ENCODE)
+ 				vec = (SLONG) * vector++;
+ 			if (!xdr_long(xdrs, &vec))
+

More information about the scm-commits mailing list