Ports scheduled for removal on Nov 7

[Chris Knight]

Howdy,

> -----Original Message-----
> From: Greg 'groggy' Lehey
> Sent: Saturday, 9 August 2003 11:36
> To: Alexander Leidinger
> Cc: freebsd-ports at FreeBSD.org; chris at aims.com.au; Kris Kennaway
> Subject: Re: Ports scheduled for removal on Nov 7
>
>
> On Friday,  8 August 2003 at 12:42:44 +0200, Alexander
> Leidinger wrote:
> > On Thu, 7 Aug 2003 21:53:34 -0700
> > Kris Kennaway <kris at obsecurity.org> wrote:
> >
> >> The following ports are scheduled for removal on November 7 if they
> >> are still broken at that time and no PRs have been submitted to fix
> >
> >> databases/firebird	firebird-1.0.2	chris at aims.com.au
> >> databases/firebird-devel	firebird-1.0.r2	chris at aims.com.au
> >
> > I've marked them FORBIDDEN because of an posting on bugtraq. I've
> > talked with the maintainer and he explained, that the developers
> > focus on the development of the next version and don't seem to be
> > interested in fixing this vulnerability.
>
> Are you sure that this vulnerability exists?  bugtraq seems to be
> rather indiscriminate in its claims ("found in this version, all these
> others must have it too").  I've seen at least one case where we were
> about to throw out something (ghostview, I think) because of a library
> vulnerability on a different platform.
>
The vulnerability does exist. No bounds checking is done on the
environment variable and it is placed into a fixed length (1024) array
using strcat. Proof of concept code has been released for FreeBSD 4.7.
I've spent a bit of time on the exploit code, and with some slight mods,
it will affect Firebird 1.0, 1.0.2 and 1.0.3 on FreeBSD 4.7 and
FreeBSD 4.8.
I've got a fix which stops the exploit code from working. I plan on
tidying it up and committing it soonish.

> Greg
> --
> See complete headers for address and phone numbers
>

Regards,
Chris Knight
Systems Administrator
E-Easy
Tel: +61 3 6334 6664  Fax: +61 3 6331 7032  Mob: +61 419 528 795
Web: http://www.e-easy.com.au