allows passwordless SYSDBA login
Bug #232420 reported by
Damyan Ivanov
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| firebird2.0 (Debian) |
Fix Released
|
Unknown
|
|||
| firebird2.0 (Gentoo Linux) |
Fix Released
|
Medium
|
|||
| firebird2.0 (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
| firebird2.1 (Debian) |
Fix Released
|
Unknown
|
|||
Bug Description
Binary package hint: firebird2.0-super
See http://
The init.d script exports ISC_PASSWORD into the environment before starting fbguard. fbguard itself spawns fbserver process without cleaning environment.
fbserver uses ISC_PASSWORD from the environment when remote connection
does not supply a password. This makes it possible to connect remotely
as SYSDBA user without giving a password.
That last part is already fixed in upstream CVS HEAD, but backporting
the change is reported to be non-trivial.
All versions are affected
CVE References
Revision history for this message
| Ralph Janke (txwikinger) wrote | #1 |
| Changed in firebird2.0: | |
| importance: | Undecided → High |
| status: | New → Confirmed |
| Changed in firebird2.0: | |
| status: | Unknown → Fix Released |
Revision history for this message
| Popa Adrian Marius (mapopa) wrote | #2 |
| Changed in firebird2.0: | |
| status: | Unknown → Fix Released |
| Changed in firebird2.1: | |
| status: | Unknown → Fix Released |
| Changed in firebird2.0 (Ubuntu): | |
| assignee: | nobody → Ubuntu Security Team (ubuntu-security) |
Revision history for this message
| Chris Johnston (cjohnston) wrote | #3 |
| Changed in firebird2.0 (Ubuntu): | |
| assignee: | Ubuntu Security Team (ubuntu-security) → nobody |
| Changed in firebird2.0 (Gentoo Linux): | |
| importance: | Unknown → Medium |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #4 |
| Changed in firebird2.0 (Ubuntu): | |
| status: | Confirmed → Fix Released |
To post a comment you must log in.
Confirmed and severity set according to upstream bug in Debian