CVE-2023-41038

NameCVE-2023-41038
DescriptionFirebird is a relational database. Versions 4.0.0 through 4.0.3 and version 5.0 beta1 are vulnerable to a server crash when a user uses a specific form of SET BIND statement. Any non-privileged user with minimum access to a server may type a statement with a long `CHAR` length, which causes the server to crash due to stack corruption. Versions 4.0.4.2981 and 5.0.0.117 contain fixes for this issue. No known workarounds are available.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
firebird3.0 (PTS)buster3.0.5.33100.ds4-2fixed
bullseye3.0.7.33374.ds4-2fixed
bookworm3.0.11.33637.ds4-2fixed
sid, trixie3.0.11.33703.ds4-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
firebird3.0source(unstable)(not affected)

Notes

- firebird3.0 <not-affected> (Vulnerable code not present)
https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-6fv8-8rwr-9692
Search for package or bug name: Reporting problems