Re: [GENERAL] PostgreSQL 7.2.2: Security Release - Mailing list pgsql-hackers
| From | Marc G. Fournier |
|---|---|
| Subject | Re: [GENERAL] PostgreSQL 7.2.2: Security Release |
| Date | |
| Msg-id | 20020826104345.F39279-100000@mail1.hub.org Whole thread Raw |
| In response to | Re: [GENERAL] PostgreSQL 7.2.2: Security Release ("Christopher Kings-Lynne" <chriskl@familyhealth.com.au>) |
| List | pgsql-hackers |
On Mon, 26 Aug 2002, Christopher Kings-Lynne wrote: > *sigh* Someone's marked postgres 7.2.1 as forbidden in FreeBSD ports: > > FORBIDDEN= "buffer overruns acknowledged by authors--see > <URL:http://www3.us.postgresql.org/news.html>" > > Somewhat of an overreaction...I'm hassling the maintainer at the moment... already fixed ... > > -----Original Message----- > > From: pgsql-hackers-owner@postgresql.org > > [mailto:pgsql-hackers-owner@postgresql.org]On Behalf Of Marc G. Fournier > > Sent: Monday, 26 August 2002 10:17 AM > > To: Bruce Momjian > > Cc: Gavin Sherry; Neil Conway; PostgreSQL Hackers > > Subject: Re: [HACKERS] [GENERAL] PostgreSQL 7.2.2: Security Release > > > > > > On Sun, 25 Aug 2002, Bruce Momjian wrote: > > > > > > > > OK, I understand your point. What do we need to do now that the > > > announcement has already been made? > > > > I'm still slightly confused here ... from what Neil/Gavin have stated so > > far, all it sounds like is that if I pass a wrong date/time string, it > > will crash the backend ... or is this what I'm missing? > > > > > > > > > > > > ------------------------------------------------------------------ > > --------- > > > > > > Gavin Sherry wrote: > > > > On Sat, 24 Aug 2002, Bruce Momjian wrote: > > > > > > > > > > > > > > The issue is data-provoked crashes vs. query-invoked > > crashes. Marc's > > > > > point, and I think it was clear enough, is that you can't > > just poke at > > > > > the TCP port and hope to do anything bad, which was the > > thrust of the > > > > > argument, I think. > > > > > > > > Bruce, > > > > > > > > I am convinced that someone with enough time on their hands > > and some code > > > > pointed to by Florian Weimer could exploit the datetime > > overrun issue by > > > > crafting a datetime string in such a way as to overrun the buffer and > > > > smash the stack. > > > > > > > > In applications which pass date/time data directly to the > > database without > > > > any validation (is this datetime string greater than 52 bytes? does it > > > > look like a date/time string?) then a malicious user without direct > > > > database access could crash the database by taking advantage > > of the short > > > > comings in Postgres and the application. > > > > > > > > As such, I would recommend all people who offer direct access to the > > > > database and/or have applications which user date/time data > > > > types/functionality to upgrade to 7.2.2. > > > > > > > > Gavin > > > > > > > > > > > > > > > > ---------------------------(end of > > broadcast)--------------------------- > > > > TIP 5: Have you checked our extensive FAQ? > > > > > > > > http://www.postgresql.org/users-lounge/docs/faq.html > > > > > > > > > > -- > > > Bruce Momjian | http://candle.pha.pa.us > > > pgman@candle.pha.pa.us | (610) 359-1001 > > > + If your life is a hard drive, | 13 Roberts Road > > > + Christ can be your backup. | Newtown Square, > > Pennsylvania 19073 > > > > > > ---------------------------(end of broadcast)--------------------------- > > > TIP 2: you can get off all lists at once with the unregister command > > > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) > > > > > > > > > ---------------------------(end of broadcast)--------------------------- > > TIP 4: Don't 'kill -9' the postmaster > > > >
pgsql-hackers by date: