Re: [GENERAL] PostgreSQL 7.2.2: Security Release - Mailing list pgsql-hackers
| From | Christopher Kings-Lynne |
|---|---|
| Subject | Re: [GENERAL] PostgreSQL 7.2.2: Security Release |
| Date | |
| Msg-id | GNELIHDDFBOCMGBFGEFOMEOACDAA.chriskl@familyhealth.com.au Whole thread Raw |
| In response to | Re: [GENERAL] PostgreSQL 7.2.2: Security Release ("Marc G. Fournier" <scrappy@hub.org>) |
| Responses |
Re: [GENERAL] PostgreSQL 7.2.2: Security Release
("Marc G. Fournier" <scrappy@hub.org>)
|
| List | pgsql-hackers |
*sigh* Someone's marked postgres 7.2.1 as forbidden in FreeBSD ports: FORBIDDEN= "buffer overruns acknowledged by authors--see <URL:http://www3.us.postgresql.org/news.html>" Somewhat of an overreaction...I'm hassling the maintainer at the moment... Chris > -----Original Message----- > From: pgsql-hackers-owner@postgresql.org > [mailto:pgsql-hackers-owner@postgresql.org]On Behalf Of Marc G. Fournier > Sent: Monday, 26 August 2002 10:17 AM > To: Bruce Momjian > Cc: Gavin Sherry; Neil Conway; PostgreSQL Hackers > Subject: Re: [HACKERS] [GENERAL] PostgreSQL 7.2.2: Security Release > > > On Sun, 25 Aug 2002, Bruce Momjian wrote: > > > > > OK, I understand your point. What do we need to do now that the > > announcement has already been made? > > I'm still slightly confused here ... from what Neil/Gavin have stated so > far, all it sounds like is that if I pass a wrong date/time string, it > will crash the backend ... or is this what I'm missing? > > > > > > > ------------------------------------------------------------------ > --------- > > > > Gavin Sherry wrote: > > > On Sat, 24 Aug 2002, Bruce Momjian wrote: > > > > > > > > > > > The issue is data-provoked crashes vs. query-invoked > crashes. Marc's > > > > point, and I think it was clear enough, is that you can't > just poke at > > > > the TCP port and hope to do anything bad, which was the > thrust of the > > > > argument, I think. > > > > > > Bruce, > > > > > > I am convinced that someone with enough time on their hands > and some code > > > pointed to by Florian Weimer could exploit the datetime > overrun issue by > > > crafting a datetime string in such a way as to overrun the buffer and > > > smash the stack. > > > > > > In applications which pass date/time data directly to the > database without > > > any validation (is this datetime string greater than 52 bytes? does it > > > look like a date/time string?) then a malicious user without direct > > > database access could crash the database by taking advantage > of the short > > > comings in Postgres and the application. > > > > > > As such, I would recommend all people who offer direct access to the > > > database and/or have applications which user date/time data > > > types/functionality to upgrade to 7.2.2. > > > > > > Gavin > > > > > > > > > > > > ---------------------------(end of > broadcast)--------------------------- > > > TIP 5: Have you checked our extensive FAQ? > > > > > > http://www.postgresql.org/users-lounge/docs/faq.html > > > > > > > -- > > Bruce Momjian | http://candle.pha.pa.us > > pgman@candle.pha.pa.us | (610) 359-1001 > > + If your life is a hard drive, | 13 Roberts Road > > + Christ can be your backup. | Newtown Square, > Pennsylvania 19073 > > > > ---------------------------(end of broadcast)--------------------------- > > TIP 2: you can get off all lists at once with the unregister command > > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) > > > > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Don't 'kill -9' the postmaster >
pgsql-hackers by date: