From: Damyan I. <da...@mo...> - 2007-10-02 13:59:06
|
Hi, I'd like your opinion on the following CVE[0] issued for firebird2.1. [0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2606 I would like your opinion on two points: 1) whether this presents a real treat 2) whether 2.0.3 is affected _____________________________________________ CVE-2007-2606: Multiple buffer overflows in Firebird 2.1 allow attackers to trigger memory corruption and possibly have other unspecified impact via certain input processed by (1) config\ConfigFile.cpp or (2) msgs\check_msgs.epp. NOTE: if ConfigFile.cpp reads a configuration file with restrictive permissions, then the ConfigFile.cpp vector may not cross privilege boundaries and perhaps should not be included in CVE. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ As I understand it, the first problem requires fiddling with config files, which are owned by root anyway; and second file is used only during build process. Am I right thinking the problems don't pose real treats? Unfortunately more details are not available currently (at least I can't find more). -- dam JabberID: da...@ja... |