Fix to CVE-2006-0553 for 8.1.1 - Mailing list pgsql-hackers

From Albert Chin
Subject Fix to CVE-2006-0553 for 8.1.1
Date
Msg-id 20060219213807.GB93931@mail1.thewrittenword.com
Whole thread Raw
Responses Re: Fix to CVE-2006-0553 for 8.1.1
List pgsql-hackers
Does the patch below look like the correct fix to CVE-2006-0553 if
running 8.1.1? I just scanned cvs log from the 8.1 branch, looking for
CVE-2006-0553 and picked out the diffs.

-- 
albert chin (china@thewrittenword.com)

-- snip snip
Index: src/backend/commands/variable.c
===================================================================
--- src/backend/commands/variable.c.orig    2005-11-22 12:23:08.000000000 -0600
+++ src/backend/commands/variable.c    2006-02-19 15:24:40.540106000 -0600
@@ -586,7 +586,9 @@ * by the numeric oid, followed by a comma, followed by the role name. * This cannot be confused
witha plain role name because of the NAMEDATALEN * limit on names, so we can tell whether we're being passed an
initial
- * role name or a saved/restored value.
+ * role name or a saved/restored value.  (NOTE: we rely on guc.c to have
+ * properly truncated any incoming value, but not to truncate already-stored
+ * values.  See GUC_IS_NAME processing.) */extern char *session_authorization_string;        /* in guc.c */
Index: src/include/utils/guc_tables.h
===================================================================
--- src/include/utils/guc_tables.h.orig    2005-07-14 00:13:44.000000000 -0500
+++ src/include/utils/guc_tables.h    2006-02-19 15:29:15.187973000 -0600
@@ -126,6 +126,7 @@#define GUC_DISALLOW_IN_FILE    0x0040    /* can't set in postgresql.conf */#define
GUC_CUSTOM_PLACEHOLDER   0x0080    /* placeholder for custom variable */#define GUC_SUPERUSER_ONLY        0x0100    /*
showonly to superusers */
 
+#define GUC_IS_NAME            0x0200  /* limit string to NAMEDATALEN-1 *//* bit values in status field */#define
GUC_HAVE_TENTATIVE   0x0001        /* tentative value is defined */
 
Index: src/backend/utils/misc/guc.c
===================================================================
--- src/backend/utils/misc/guc.c.orig    2005-11-22 12:23:24.000000000 -0600
+++ src/backend/utils/misc/guc.c    2006-02-19 15:30:21.625766000 -0600
@@ -48,6 +48,7 @@#include "optimizer/prep.h"#include "parser/parse_expr.h"#include "parser/parse_relation.h"
+#include "parser/scansup.h"#include "postmaster/autovacuum.h"#include "postmaster/bgwriter.h"#include
"postmaster/syslogger.h"
@@ -1662,7 +1663,7 @@        {"client_encoding", PGC_USERSET, CLIENT_CONN_LOCALE,            gettext_noop("Sets the
client'scharacter set encoding."),            NULL,
 
-            GUC_REPORT
+            GUC_IS_NAME | GUC_REPORT        },        &client_encoding_string,        "SQL_ASCII",
assign_client_encoding,NULL
 
@@ -1742,7 +1743,8 @@    {        {"default_tablespace", PGC_USERSET, CLIENT_CONN_STATEMENT,
gettext_noop("Setsthe default tablespace to create tables and indexes in."),
 
-            gettext_noop("An empty string selects the database's default tablespace.")
+            gettext_noop("An empty string selects the database's default tablespace."),
+             GUC_IS_NAME        },        &default_tablespace,        "", assign_default_tablespace, NULL
@@ -1900,7 +1902,7 @@        {"server_encoding", PGC_INTERNAL, CLIENT_CONN_LOCALE,            gettext_noop("Sets the
server(database) character set encoding."),            NULL,
 
-            GUC_REPORT | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
+            GUC_IS_NAME | GUC_REPORT | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE        },
&server_encoding_string,       "SQL_ASCII", NULL, NULL
 
@@ -1922,7 +1924,7 @@        {"role", PGC_USERSET, UNGROUPED,            gettext_noop("Sets the current role."),
   NULL,
 
-            GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
+            GUC_IS_NAME | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE        },
 &role_string,        "none", assign_role, show_role
 
@@ -1933,7 +1935,7 @@        {"session_authorization", PGC_USERSET, UNGROUPED,            gettext_noop("Sets the
sessionuser name."),            NULL,
 
-            GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
+            GUC_IS_NAME | GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
    },        &session_authorization_string,        NULL, assign_session_authorization, show_session_authorization
 
@@ -3934,6 +3936,12 @@                    newval = guc_strdup(elevel, value);                    if (newval == NULL)
                   return false;
 
+                    /*
+                     * The only sort of "parsing" check we need to do is
+                     * apply truncation if GUC_IS_NAME.
+                     */
+                    if (conf->gen.flags & GUC_IS_NAME)
+                        truncate_identifier(newval, strlen(newval), true);                }                else if
(conf->reset_val)               {
 
Index: src/backend/utils/mb/encnames.c
===================================================================
--- src/backend/utils/mb/encnames.c.orig    2005-10-14 21:49:33.000000000 -0500
+++ src/backend/utils/mb/encnames.c    2006-02-19 15:35:15.559558000 -0600
@@ -449,7 +449,7 @@    if (name == NULL || *name == '\0')        return NULL;
-    if (strlen(name) > NAMEDATALEN)
+    if (strlen(name) >= NAMEDATALEN)    {#ifdef FRONTEND        fprintf(stderr, "encoding name too long\n");


pgsql-hackers by date:

Previous
From: Martijn van Oosterhout
Date:
Subject: Re: Domains and supporting functions
Next
From: Tom Lane
Date:
Subject: Re: Fix to CVE-2006-0553 for 8.1.1