Thread: Re: [PATCHES] fix for palloc() of user-supplied length
Neil Conway <neilc@samurai.com> writes: > This patch fixes the so-called DoS possibility when processing the > password packet in recv_and_check_passwordv0(). If len is signed, then something like "len < 1" needs to be in there as well. More generally, though, I was thinking that the appropriate answer at this point is to rip out support for version-0 authentication altogether. I can't believe anyone will be trying to connect to a 7.3 or beyond server with 6.2 client libraries (v0 went away in 6.3 as best I can tell from the CVS logs). And if they try, it's not unreasonable to force them to upgrade --- those old client libraries have got to be pretty buggy themselves. So the utility of the v0 backend code is dubious, while its potential for more problems is real. Anyone want to argue that we should keep the v0 protocol support any longer? regards, tom lane
Tom Lane <tgl@sss.pgh.pa.us> writes: > More generally, though, I was thinking that the appropriate answer > at this point is to rip out support for version-0 authentication > altogether. I can't believe anyone will be trying to connect to a > 7.3 or beyond server with 6.2 client libraries (v0 went away in 6.3 > as best I can tell from the CVS logs). Further, has this code actually been tested within recent memory? If not, I wouldn't be surprised to learn that it's suffered some bitrot... > Anyone want to argue that we should keep the v0 protocol support any > longer? Nope, exactly the same thought crossed my mind while I was reading through the code... Cheers, Neil -- Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC
Neil Conway <neilc@samurai.com> writes: > Tom Lane <tgl@sss.pgh.pa.us> writes: >> More generally, though, I was thinking that the appropriate answer >> at this point is to rip out support for version-0 authentication >> altogether. > Further, has this code actually been tested within recent memory? If > not, I wouldn't be surprised to learn that it's suffered some > bitrot... Yup, that's another good point. I don't think we *have* a way of testing it any longer, unless someone cares to pull a 6.2 psql from the archives ... regards, tom lane
Neil Conway wrote: > Tom Lane <tgl@sss.pgh.pa.us> writes: > > More generally, though, I was thinking that the appropriate answer > > at this point is to rip out support for version-0 authentication > > altogether. I can't believe anyone will be trying to connect to a > > 7.3 or beyond server with 6.2 client libraries (v0 went away in 6.3 > > as best I can tell from the CVS logs). > > Further, has this code actually been tested within recent memory? If > not, I wouldn't be surprised to learn that it's suffered some > bitrot... > > > Anyone want to argue that we should keep the v0 protocol support any > > longer? > > Nope, exactly the same thought crossed my mind while I was reading > through the code... Feel free to rip it out. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
> > > Anyone want to argue that we should keep the v0 protocol support any > > > longer? > > > > Nope, exactly the same thought crossed my mind while I was reading > > through the code... > > Feel free to rip it out. Should probably be mentioned in the release notes.
It will, if a patch is supplied. Anything significant that is mentioned in the CVS logs gets shown in the release notes. --------------------------------------------------------------------------- Matthew T. O'Connor wrote: > > > > Anyone want to argue that we should keep the v0 protocol support any > > > > longer? > > > > > > Nope, exactly the same thought crossed my mind while I was reading > > > through the code... > > > > Feel free to rip it out. > > Should probably be mentioned in the release notes. > > > ---------------------------(end of broadcast)--------------------------- > TIP 6: Have you searched our list archives? > > http://archives.postgresql.org > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073