From 675365675425d416da1757b56f2cac78820a4599 Mon Sep 17 00:00:00 2001
From: Adriano dos Santos Fernandes <adrianosf@gmail.com>
Date: Tue, 21 Jan 2020 22:09:17 -0300
Subject: [PATCH] Fixed CORE-6236 - RDB$TIME_ZONE_UTIL package has wrong
 privilege for PUBLIC.

---
 src/jrd/ini.epp | 30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/src/jrd/ini.epp b/src/jrd/ini.epp
index 84ddfe306e..0a6e185121 100644
--- a/src/jrd/ini.epp
+++ b/src/jrd/ini.epp
@@ -71,9 +71,9 @@ const int FB_MAX_ACL_SIZE	= 4096;
 
 
 static void add_index_set(thread_db*);
-static void add_security_to_sys_obj(thread_db*, AutoRequest&, AutoRequest&, AutoRequest&, 
+static void add_security_to_sys_obj(thread_db*, AutoRequest&, AutoRequest&, AutoRequest&,
 	const MetaName&, USHORT, const MetaName&, USHORT = 0, const UCHAR* = NULL);
-static void add_security_class(thread_db* tdbb, AutoRequest&, const MetaName& class_name, 
+static void add_security_class(thread_db* tdbb, AutoRequest&, const MetaName& class_name,
 	USHORT acl_length, const UCHAR* acl);
 static void add_security_to_sys_rel(thread_db*, AutoRequest&, AutoRequest&, AutoRequest&, const MetaName&,
 	const TEXT*, const USHORT, const UCHAR*);
@@ -411,9 +411,12 @@ void INI_format(const char* owner, const char* charset)
 	const UCHAR NON_REL_OWNER_ACL[] =
 		{ACL_priv_list, priv_control, priv_alter, priv_drop, priv_usage, ACL_end};
 
-	const UCHAR NON_REL_PUBLIC_ACL[] =
+	const UCHAR NON_REL_PUBLIC_USAGE_ACL[] =
 		{ACL_priv_list, priv_usage, ACL_end};
 
+	const UCHAR PKG_PUBLIC_EXECUTE_ACL[] =
+		{ACL_priv_list, priv_execute, ACL_end};
+
 	UCHAR buffer[FB_MAX_ACL_SIZE];
 	UCHAR* acl = buffer;
 	*acl++ = ACL_version;
@@ -431,8 +434,11 @@ void INI_format(const char* owner, const char* charset)
 
 	*acl++ = ACL_id_list;
 	*acl++ = ACL_end;
-	memcpy(acl, NON_REL_PUBLIC_ACL, sizeof(NON_REL_PUBLIC_ACL));
-	acl += sizeof(NON_REL_PUBLIC_ACL);
+
+	UCHAR* aclPublicStart = acl;
+
+	memcpy(acl, NON_REL_PUBLIC_USAGE_ACL, sizeof(NON_REL_PUBLIC_USAGE_ACL));
+	acl += sizeof(NON_REL_PUBLIC_USAGE_ACL);
 	*acl++ = ACL_end; // Put an extra terminator to avoid scl.epp:walk_acl() missing the end.
 
 	USHORT length = acl - buffer;
@@ -471,13 +477,21 @@ void INI_format(const char* owner, const char* charset)
 			add_security_to_sys_obj(tdbb, reqAddSC, reqModObjSC, reqInsUserPriv, ownerName, obj_collation, collation->name, length, buffer);
 		}
 
+		// Must be last!
+		acl = aclPublicStart;
+		memcpy(acl, PKG_PUBLIC_EXECUTE_ACL, sizeof(PKG_PUBLIC_EXECUTE_ACL));
+		acl += sizeof(PKG_PUBLIC_EXECUTE_ACL);
+		*acl++ = ACL_end; // Put an extra terminator to avoid scl.epp:walk_acl() missing the end.
+		length = acl - buffer;
+
 		reqModObjSC.reset();
 		for (auto& systemPackage : SystemPackage::get())
 		{
 			if (systemPackage.odsVersion > ENCODE_ODS(dbb->dbb_ods_version, dbb->dbb_minor_version))
 				continue;
 
-			add_security_to_sys_obj(tdbb, reqAddSC, reqModObjSC, reqInsUserPriv, ownerName, obj_package_header, systemPackage.name, length, buffer);
+			add_security_to_sys_obj(tdbb, reqAddSC, reqModObjSC, reqInsUserPriv, ownerName,
+				obj_package_header, systemPackage.name, length, buffer);
 		}
 	}
 
@@ -1091,8 +1105,8 @@ static void add_security_to_sys_rel(thread_db*	tdbb,
 
 // Add security to system objects.
 static void add_security_to_sys_obj(thread_db* tdbb,
-									AutoRequest& reqAddSC, 
-									AutoRequest& reqModObjSC, 
+									AutoRequest& reqAddSC,
+									AutoRequest& reqModObjSC,
 									AutoRequest& reqInsUserPriv,
 									const MetaName& user_name,
 									USHORT obj_type,