Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Various UDF-related security vulnerabilities [CORE5657] #5923

Closed
firebird-automations opened this issue Nov 9, 2017 · 8 comments
Closed

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: @AlexPeshkoff

Is related to CORE5518

Initial design of UDF always used to be security problem. The most dangerous security holes when UDFs and external tables are used simultaneousky were fixed in FB 1.5. But even after it incorrectly declared (using SQL statement DECLARE EXTERNAL FUNCTION) UDF can easily cause various security issues like server crash or execution of arbitrary code.

See details in related issue.

Commits: c7d6c4f b9c1765

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

description: Initial design of UDF always used to be security problem. The most dangerous security holes when UDFs and external tables are used simultaneousky were fixed in FB 1.5. But even after it incorrectly declared (using SQL statement DECLARE EXTERNAL FUNCTION) UDF can easily cause various security issues like server crash or execution of arbitrary code.

See details in sub-taks.

=>

Initial design of UDF always used to be security problem. The most dangerous security holes when UDFs and external tables are used simultaneousky were fixed in FB 1.5. But even after it incorrectly declared (using SQL statement DECLARE EXTERNAL FUNCTION) UDF can easily cause various security issues like server crash or execution of arbitrary code.

See details in subtask.

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

description: Initial design of UDF always used to be security problem. The most dangerous security holes when UDFs and external tables are used simultaneousky were fixed in FB 1.5. But even after it incorrectly declared (using SQL statement DECLARE EXTERNAL FUNCTION) UDF can easily cause various security issues like server crash or execution of arbitrary code.

See details in subtask.

=>

Initial design of UDF always used to be security problem. The most dangerous security holes when UDFs and external tables are used simultaneousky were fixed in FB 1.5. But even after it incorrectly declared (using SQL statement DECLARE EXTERNAL FUNCTION) UDF can easily cause various security issues like server crash or execution of arbitrary code.

See details in related issue.

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

Link: This issue is related to CORE5518 [ CORE5518 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

assignee: Alexander Peshkov [ alexpeshkoff ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

UDFs are deprecated in v.4. That means that UDFs can't be used with default configuration (parameter "UdfAccess" set to "None") and all sample UDF libraries (ib_udf, fbudf) are not distributed any more. Most of functions in that libraries were replaced with builtin analogs in previous versions and therefore already deprecated. A few remaining functions got safe replacement in UDR library "udf_compat", namely div, frac, dow, sdow, getExactTimestampUTC and isLeapYear. Users who still wish to use UDFs should set "UdfAccess" to "Restrict <path-list>". If you never used to modify this parameter before path-list is just UDF and resulting line in firebird.conf should be:
UdfAccess = Restrict UDF
Recommended long-term solution is replacing of UDF with UDR.

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 4.0 Beta 1 [ 10750 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: No test => Cannot be tested

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Closed [ 6 ]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment