oss-sec mailing list archives

CVE Request -- firebird: DoS (NULL pointer dereference) while preparing an empty query with trace enabled

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 14 Nov 2012 10:28:29 -0500 (EST)

Hello Kurt, Steve, vendors,

  a denial of service flaw was found in the way the TraceManager of Firebird,
a SQL relational database management system, performed preparation of an empty
dynamic SQL query. When the trace mode was enabled, a remote, authenticated
database user could use this flaw to cause the Firebird server to crash with
a NULL pointer dereference.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693210
[2] http://tracker.firebirdsql.org/browse/CORE-3884
[3] https://bugzilla.redhat.com/show_bug.cgi?id=876613

Relevant upstream patch:
[4] http://firebird.svn.sourceforge.net/viewvc/firebird?pathrev=54702&revision=54702&view=revision

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- firebird: DoS (NULL pointer dereference) while preparing an empty query with trace enabled Jan Lieskovsky (Nov 14)
- Re: CVE Request -- firebird: DoS (NULL pointer dereference) while preparing an empty query with trace enabled Kurt Seifried (Nov 14)