Re: [GENERAL] PostgreSQL 7.2.2: Security Release - Mailing list pgsql-hackers

From Neil Conway
Subject Re: [GENERAL] PostgreSQL 7.2.2: Security Release
Date
Msg-id 874rdkc2w8.fsf@mailbox.samurai.com
Whole thread Raw
In response to Re: [GENERAL] PostgreSQL 7.2.2: Security Release  ("Marc G. Fournier" <scrappy@hub.org>)
Responses Re: [GENERAL] PostgreSQL 7.2.2: Security Release
List pgsql-hackers
"Marc G. Fournier" <scrappy@hub.org> writes:

> On 23 Aug 2002, Neil Conway wrote:
> > The datetime overrun does not require the ability to connect to
> > the database.
> 
> Ack ... obviously I missed something, but, if you can't get a
> connection to the database, how exactly is this one triggered? :(

If the application is accepting datetime input from the user ('what's
your birthday?', for example), and isn't doing some non-obvious input
validation on it (namely, checking that the input string isn't too
long), you can crash the backend. Gavin says executing arbitrary code
using the hole would be extremely difficult, but it's at least
conceivable.

Cheers,

Neil

-- 
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC



pgsql-hackers by date:

Previous
From: "Marc G. Fournier"
Date:
Subject: Re: [GENERAL] PostgreSQL 7.2.2: Security Release
Next
From: "Marc G. Fournier"
Date:
Subject: Re: [GENERAL] PostgreSQL 7.2.2: Security Release