allows passwordless SYSDBA login
Bug #232420 reported by
Damyan Ivanov
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
firebird2.0 (Debian) |
Fix Released
|
Unknown
|
|||
firebird2.0 (Gentoo Linux) |
Fix Released
|
Medium
|
|||
firebird2.0 (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
firebird2.1 (Debian) |
Fix Released
|
Unknown
|
Bug Description
Binary package hint: firebird2.0-super
See http://
The init.d script exports ISC_PASSWORD into the environment before starting fbguard. fbguard itself spawns fbserver process without cleaning environment.
fbserver uses ISC_PASSWORD from the environment when remote connection
does not supply a password. This makes it possible to connect remotely
as SYSDBA user without giving a password.
That last part is already fixed in upstream CVS HEAD, but backporting
the change is reported to be non-trivial.
All versions are affected
CVE References
Changed in firebird2.0: | |
status: | Unknown → Fix Released |
Changed in firebird2.0: | |
status: | Unknown → Fix Released |
Changed in firebird2.1: | |
status: | Unknown → Fix Released |
Changed in firebird2.0 (Ubuntu): | |
assignee: | nobody → Ubuntu Security Team (ubuntu-security) |
Changed in firebird2.0 (Gentoo Linux): | |
importance: | Unknown → Medium |
To post a comment you must log in.
Confirmed and severity set according to upstream bug in Debian