Postgres Pro
Downloads
Home   >   mailing lists

Re: [SECURITY] DoS attack on backend possible (was: Re: - Mailing list pgsql-hackers

From Justin Clift
Subject Re: [SECURITY] DoS attack on backend possible (was: Re:
Date
Msg-id 3D56ABCF.432397DE@postgresql.org
Whole thread Raw
In response to Re: [COMMITTERS] pgsql-server/src include/utils/timestamp.h bac ...  (Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>)
List pgsql-hackers
Tree view 
Hi Florian,

Very hard call.

If this was even a "fringe case" whereby even only a few places that are
doing "the right thing" would be compromisable, then we should probably
go for a 7.2.2.  Even if it's only 7.2.1 with this one bug fix.

However, it sounds like this bug is really only going to affect those
places which aren't correctly implementing *proper*, *decent* input
validation, and are then passing this not-properly-checked value
straight into a SQL string for execution by the server.

Doing that (not input checking properly) is a brain damaged concept all
by itself.  :(

Is this scenario of not properly checking the input the only way
PostgreSQL could be crashed by this bug In Real Life?

Having said this, is this what 7.2.2 here would require doing:

- Create an archive of 7.2.1+bugfix, and call it 7.2.2, gzip, md5, etc,
as appropriate, put on site
- Update CVS appropriately
- Create a new press release for 7.2.2, spread that appropriately too
- Add an entry to the main website

I reckon the only reason for making a 7.2.2 for this would be to help
ensure newbie (or very tired) coders don't get their servers taken out
by clueful malicious types.

Regards and best wishes,

Justin Clift


Florian Weimer wrote:
> 
> Justin Clift <justin@postgresql.org> writes:
> 
> >  - A PostgreSQL 7.2.1 server can be crashed if it gets passed certain
> > date values which would be accepted by standard "front end" parsing?
> > So, a web application layer can request a date from a user, do standard
> > integrity checks (like looking for weird characters and formatting
> > hacks) on the date given, then use the date as part of a SQL query, and
> > PostgreSQL will die?
> 
> It depends on the checking.  If you just check that the date consists
> of digits (and a few additional characters), it's possible to crash
> the server.
> 
> --
> Florian Weimer                    Weimer@CERT.Uni-Stuttgart.DE
> University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
> RUS-CERT                          fax +49-711-685-5898

-- 
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."  - Indira Gandhi

pgsql-hackers by date:

Previous
From: Peter Eisentraut
Date:
Subject: libpqxx
Next
From: Tom Lane
Date:
Subject: Re: libpqxx