Firebird 3 DLL vulnerabilities

[Michael Simmons]

We are using Firebird 3.0.4 for our products.  A client recently went through a security scan and identified a number of DLL's with security issues in Firebird. 

msvcp100.dll - support for this Visual C++ 2010 redistributable ended by Microsoft on 14 July 2020.  Also there is one high risk vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2010-3190 . 

ZLib1.dll - This is version 1.2.8 (latest is 1.2.11).   I have been unable to acquire 1.2.11. There are two critical and two high vulnerabilities associated with it: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&cves=on&cpe_version=cpe%3a%2fa%3agnu%3azlib%3a1.2.8

icudt52.dll, icuin52.dll,  icuuc52.dll: 

There are six critical, nine high, and two medium vulnerabilities associated with ICU version 52.1 which can be found here: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&cves=on&cpe_version=cpe%3a%2fa%3aicu-project%3ainternational_components_for_unicode%3a52.1%3a%3a%7e%7e%7ec%252fc%252b%252b%7e%7e

Does anyone know if there are plans to address these? 

Does anyone know what will be the impact of removing these files?

Thanks,

Mike Simmons

[Dimitry Sibiryakov]

13.08.2020 18:59, Michael Simmons wrote:
> Does anyone know if there are plans to address these?

MSVC and ICU were already upgraded in Firebird 4. I would recommend to use it on this
client.

> Does anyone know what will be the impact of removing these files?

Server will stop functioning.

--
WBR, SD.

[Michael Simmons]

Thank you.  Very helpful!

[Vlad Khorsun]

On Thursday, 13 August 2020 20:15:03 UTC+3, Michael Simmons wrote:

We are using Firebird 3.0.4 for our products.  A client recently went through a security scan and identified a number of DLL's with security issues in Firebird. 

msvcp100.dll - support for this Visual C++ 2010 redistributable ended by Microsoft on 14 July 2020.  Also there is one high risk vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2010-3190 . 

  Firebird not uses MFC, so this vulnerability is not relevant for us.

 

ZLib1.dll - This is version 1.2.8 (latest is 1.2.11).   I have been unable to acquire 1.2.11. There are two critical and two high vulnerabilities associated with it: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&cves=on&cpe_version=cpe%3a%2fa%3agnu%3azlib%3a1.2.8

  Just updated zlib to 1.2.11 in 3.0.7. Firebird 4 already uses 1.2.11

 

icudt52.dll, icuin52.dll,  icuuc52.dll: 

There are six critical, nine high, and two medium vulnerabilities associated with ICU version 52.1 which can be found here: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&cves=on&cpe_version=cpe%3a%2fa%3aicu-project%3ainternational_components_for_unicode%3a52.1%3a%3a%7e%7e%7ec%252fc%252b%252b%7e%7e

   You are free to use almost any ICU version with Firebird, probably you'll need to run gfix -fix_icu after ICU upgrade

Regards,

Vlad

[Ertan Küçükoglu]

Hello,

Is it zlib which uses MFC?

Thanks & Regards,

Ertan Küçükoğlu

Vlad Khorsun <vlad.k...@gmail.com>, 16 Ağu 2020 Paz, 14:29 tarihinde şunu yazdı:

--
You received this message because you are subscribed to the Google Groups "firebird-support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebird-suppo...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/firebird-support/9c1eec68-8ddc-4bdd-a51d-e1f532eb7889o%40googlegroups.com.

[Vlad Khorsun]

On Sunday, 16 August 2020 at 14:34:35 UTC+3 ertan.k... wrote:

Hello,

Is it zlib which uses MFC?

  No.

  Nothing in Firebird distribution is used MFC.

MFC library resides in mfc*.dll, not in msvcp100.dll.

msvcp100.dll have nothing common with MFC.

Hope it is more clear now,

Vlad

PS zlib is cross-platform compression library.

MFC is Windows-only library that supports creating of desktop apps.

I failed to see any theoretical possibility for zlib to use MFC in any way.

[Michael Simmons]

Hi Vlad,

Thank you for pointing out the vulnerability did not apply to msvcp100.dll.   And also thanks for the solutions for the other two issues.

The only remaining issue is that msvcp100.dll (and msvcr100.dll) are no longer supported. We will need to get FB 4 to resolve that.

Best regards,

Mike Simmons

[Mike Simmons]

Hi Vlad,

 

I was attempting to find documentation of the gfix “-fix_icu” switch that you suggested could be used. For firebird 3.06 this isn’t listed as one of the valid switches shown when running gfix without any parameters.  I couldn’t find this switch in the Firebird 4.0 Release Notes (but I did not try to run the 4.0 gfix to see if it is a valid switch).

 

Regards,

Mike Simmons

--
You received this message because you are subscribed to a topic in the Google Groups "firebird-support" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebird-support/h-Ild44X_XQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebird-suppo...@googlegroups.com.

[Dmitry Yemanov]

18.08.2020 18:32, Mike Simmons wrote:
>
> I was attempting to find documentation of the gfix “-fix_icu” switch
> that you suggested could be used. For firebird 3.06 this isn’t listed as
> one of the valid switches shown when running gfix without any
> parameters.

gfix -icu


Dmitry

[Mike Simmons]

Thanks Dimitry.

--
You received this message because you are subscribed to a topic in the Google Groups "firebird-support" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebird-support/h-Ild44X_XQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebird-suppo...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/firebird-support/94d8b8e6-8301-89c9-6422-2be85121d7cc%40yandex.ru.

[Vlad Khorsun]

  Thanks :)

Regards,

Vlad