OK, I understand your point. What do we need to do now that the
announcement has already been made?
---------------------------------------------------------------------------
Gavin Sherry wrote:
> On Sat, 24 Aug 2002, Bruce Momjian wrote:
>
> >
> > The issue is data-provoked crashes vs. query-invoked crashes. Marc's
> > point, and I think it was clear enough, is that you can't just poke at
> > the TCP port and hope to do anything bad, which was the thrust of the
> > argument, I think.
>
> Bruce,
>
> I am convinced that someone with enough time on their hands and some code
> pointed to by Florian Weimer could exploit the datetime overrun issue by
> crafting a datetime string in such a way as to overrun the buffer and
> smash the stack.
>
> In applications which pass date/time data directly to the database without
> any validation (is this datetime string greater than 52 bytes? does it
> look like a date/time string?) then a malicious user without direct
> database access could crash the database by taking advantage of the short
> comings in Postgres and the application.
>
> As such, I would recommend all people who offer direct access to the
> database and/or have applications which user date/time data
> types/functionality to upgrade to 7.2.2.
>
> Gavin
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/users-lounge/docs/faq.html
>
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610)
359-1001+ If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square,
Pennsylvania19073
