File: cve-2017-11509.patch

package info (click to toggle)
firebird3.0 3.0.13.ds7-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 42,632 kB
  • sloc: ansic: 374,403; cpp: 319,973; sql: 14,691; pascal: 14,532; yacc: 7,557; fortran: 5,645; sh: 5,336; makefile: 1,041; perl: 194; sed: 83; awk: 76; xml: 19; csh: 15
file content (21 lines) | stat: -rw-r--r-- 725 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
 
Description: disable UDFs in firebird.conf
 UDFs can be used for remote code execution. see
 https://www.tenable.com/security/research/tra-2017-36 (CVE-2017-11509)
 http://tracker.firebirdsql.org/browse/CORE-5518
Author: Damyan Ivanov <dmn@debian.org>
Forwarded: no, because upstream doesn't consider this to be a problem

--- a/builds/install/misc/firebird.conf.in
+++ b/builds/install/misc/firebird.conf.in
@@ -189,7 +189,10 @@
 #
 # Type: string (special format)
 #
-#UdfAccess = Restrict UDF
+# Debian maintainer note: UDFs can be used for remote code execution as the
+# 'firebird' user. See https://www.tenable.com/security/research/tra-2017-36
+# (CVE-2017-11509)
+UdfAccess = None
 
 
 # ----------------------------