Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Various UDF-related security vulnerabilities [CORE5657] #5923

Closed
firebird-issue-importer opened this issue Nov 9, 2017 · 8 comments
Closed

Various UDF-related security vulnerabilities [CORE5657] #5923

firebird-issue-importer opened this issue Nov 9, 2017 · 8 comments

Comments

@firebird-issue-importer
Copy link

@firebird-issue-importer firebird-issue-importer commented Nov 9, 2017

Submitted by: @AlexPeshkoff

Is related to CORE5518

Initial design of UDF always used to be security problem. The most dangerous security holes when UDFs and external tables are used simultaneousky were fixed in FB 1.5. But even after it incorrectly declared (using SQL statement DECLARE EXTERNAL FUNCTION) UDF can easily cause various security issues like server crash or execution of arbitrary code.

See details in related issue.

Commits: c7d6c4f b9c1765

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Nov 9, 2017

Modified by: @AlexPeshkoff

description: Initial design of UDF always used to be security problem. The most dangerous security holes when UDFs and external tables are used simultaneousky were fixed in FB 1.5. But even after it incorrectly declared (using SQL statement DECLARE EXTERNAL FUNCTION) UDF can easily cause various security issues like server crash or execution of arbitrary code.

See details in sub-taks.

=>

Initial design of UDF always used to be security problem. The most dangerous security holes when UDFs and external tables are used simultaneousky were fixed in FB 1.5. But even after it incorrectly declared (using SQL statement DECLARE EXTERNAL FUNCTION) UDF can easily cause various security issues like server crash or execution of arbitrary code.

See details in subtask.

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Nov 9, 2017

Modified by: @AlexPeshkoff

description: Initial design of UDF always used to be security problem. The most dangerous security holes when UDFs and external tables are used simultaneousky were fixed in FB 1.5. But even after it incorrectly declared (using SQL statement DECLARE EXTERNAL FUNCTION) UDF can easily cause various security issues like server crash or execution of arbitrary code.

See details in subtask.

=>

Initial design of UDF always used to be security problem. The most dangerous security holes when UDFs and external tables are used simultaneousky were fixed in FB 1.5. But even after it incorrectly declared (using SQL statement DECLARE EXTERNAL FUNCTION) UDF can easily cause various security issues like server crash or execution of arbitrary code.

See details in related issue.

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Nov 9, 2017

Modified by: @AlexPeshkoff

Link: This issue is related to CORE5518 [ CORE5518 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Nov 9, 2017

Modified by: @AlexPeshkoff

assignee: Alexander Peshkov [ alexpeshkoff ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Nov 9, 2017

Commented by: @AlexPeshkoff

UDFs are deprecated in v.4. That means that UDFs can't be used with default configuration (parameter "UdfAccess" set to "None") and all sample UDF libraries (ib_udf, fbudf) are not distributed any more. Most of functions in that libraries were replaced with builtin analogs in previous versions and therefore already deprecated. A few remaining functions got safe replacement in UDR library "udf_compat", namely div, frac, dow, sdow, getExactTimestampUTC and isLeapYear. Users who still wish to use UDFs should set "UdfAccess" to "Restrict <path-list>". If you never used to modify this parameter before path-list is just UDF and resulting line in firebird.conf should be:
UdfAccess = Restrict UDF
Recommended long-term solution is replacing of UDF with UDR.

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Nov 9, 2017

Modified by: @AlexPeshkoff

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 4.0 Beta 1 [ 10750 ]

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Nov 14, 2017

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: No test => Cannot be tested

@firebird-issue-importer
Copy link
Author

@firebird-issue-importer firebird-issue-importer commented Nov 14, 2017

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Closed [ 6 ]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants