Postgres Pro
Downloads
Home   >   mailing lists

Re: [GENERAL] PostgreSQL 7.2.2: Security Release - Mailing list pgsql-hackers

From Marc G. Fournier
Subject Re: [GENERAL] PostgreSQL 7.2.2: Security Release
Date
Msg-id 20020825231423.I32477-100000@mail1.hub.org
Whole thread Raw
In response to Re: [GENERAL] PostgreSQL 7.2.2: Security Release  (Bruce Momjian <pgman@candle.pha.pa.us>)
Responses Re: [GENERAL] PostgreSQL 7.2.2: Security Release  ("Christopher Kings-Lynne" <chriskl@familyhealth.com.au>)
List pgsql-hackers
Tree view 
On Sun, 25 Aug 2002, Bruce Momjian wrote:

>
> OK, I understand your point.  What do we need to do now that the
> announcement has already been made?

I'm still slightly confused here ... from what Neil/Gavin have stated so
far, all it sounds like is that if I pass a wrong date/time string, it
will crash the backend ... or is this what I'm missing?

>
> ---------------------------------------------------------------------------
>
> Gavin Sherry wrote:
> > On Sat, 24 Aug 2002, Bruce Momjian wrote:
> >
> > >
> > > The issue is data-provoked crashes vs. query-invoked crashes.  Marc's
> > > point, and I think it was clear enough, is that you can't just poke at
> > > the TCP port and hope to do anything bad, which was the thrust of the
> > > argument, I think.
> >
> > Bruce,
> >
> > I am convinced that someone with enough time on their hands and some code
> > pointed to by Florian Weimer could exploit the datetime overrun issue by
> > crafting a datetime string in such a way as to overrun the buffer and
> > smash the stack.
> >
> > In applications which pass date/time data directly to the database without
> > any validation (is this datetime string greater than 52 bytes? does it
> > look like a date/time string?) then a malicious user without direct
> > database access could crash the database by taking advantage of the short
> > comings in Postgres and the application.
> >
> > As such, I would recommend all people who offer direct access to the
> > database and/or have applications which user date/time data
> > types/functionality to upgrade to 7.2.2.
> >
> > Gavin
> >
> >
> >
> > ---------------------------(end of broadcast)---------------------------
> > TIP 5: Have you checked our extensive FAQ?
> >
> > http://www.postgresql.org/users-lounge/docs/faq.html
> >
>
> --
>   Bruce Momjian                        |  http://candle.pha.pa.us
>   pgman@candle.pha.pa.us               |  (610) 359-1001
>   +  If your life is a hard drive,     |  13 Roberts Road
>   +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
>     (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
>

pgsql-hackers by date:

Previous
From: Tatsuo Ishii
Date:
Subject: PostgreSQL 7.2.2 and docs
Next
From: Thomas O'Dowd
Date:
Subject: Re: Deadlock situation using foreign keys (reproduceable)