Re: pgsql: Fix backend crash in parsing incorrect tsquery. - Mailing list pgsql-hackers

From Tom Lane
Subject Re: pgsql: Fix backend crash in parsing incorrect tsquery.
Date
Msg-id 16666.1171326022@sss.pgh.pa.us
Whole thread Raw
In response to Re: pgsql: Fix backend crash in parsing incorrect tsquery.  (Jeremy Drake <pgsql@jdrake.com>)
Responses Re: pgsql: Fix backend crash in parsing incorrect tsquery.
List pgsql-hackers
Jeremy Drake <pgsql@jdrake.com> writes:
> On Mon, 12 Feb 2007, Teodor Sigaev wrote:
>> Fix backend crash in parsing incorrect tsquery.

> Is this a security issue?  Does it need a new security release?

We looked at this and determined that the worst that could be done with
it is crash the backend.  Which is annoying, but if we treated every
such bug as a security exercise then we'd be having a new release every
week or so.  Core's current policy is that we'll consider a bug worthy
of a security release if it can be used to force execution of arbitrary
code, access otherwise-unavailable information, etc.  A simple crash is
at worst a momentary denial of service to other DB users, and if you've
got the ability to issue arbitrary SQL there are lots of ways to create
denial-of-service situations of one magnitude or another.

Also, recent history should impress on you the disadvantages of treating
problems as security exercises: patches that go in without any public
review or testing are far more likely to create new problems than those
that go through the normal process.  So setting a low bar for what
constitutes a security issue is likely to decrease the system's overall
reliability.
        regards, tom lane


pgsql-hackers by date:

Previous
From: Jeremy Drake
Date:
Subject: Re: pgsql: Fix backend crash in parsing incorrect tsquery.
Next
From: Tom Lane
Date:
Subject: Re: Acclerating INSERT/UPDATE using UPS