Thread: Fix to CVE-2006-0553 for 8.1.1

Fix to CVE-2006-0553 for 8.1.1

From
Albert Chin
Date:
Does the patch below look like the correct fix to CVE-2006-0553 if
running 8.1.1? I just scanned cvs log from the 8.1 branch, looking for
CVE-2006-0553 and picked out the diffs.

-- 
albert chin (china@thewrittenword.com)

-- snip snip
Index: src/backend/commands/variable.c
===================================================================
--- src/backend/commands/variable.c.orig    2005-11-22 12:23:08.000000000 -0600
+++ src/backend/commands/variable.c    2006-02-19 15:24:40.540106000 -0600
@@ -586,7 +586,9 @@ * by the numeric oid, followed by a comma, followed by the role name. * This cannot be confused
witha plain role name because of the NAMEDATALEN * limit on names, so we can tell whether we're being passed an
initial
- * role name or a saved/restored value.
+ * role name or a saved/restored value.  (NOTE: we rely on guc.c to have
+ * properly truncated any incoming value, but not to truncate already-stored
+ * values.  See GUC_IS_NAME processing.) */extern char *session_authorization_string;        /* in guc.c */
Index: src/include/utils/guc_tables.h
===================================================================
--- src/include/utils/guc_tables.h.orig    2005-07-14 00:13:44.000000000 -0500
+++ src/include/utils/guc_tables.h    2006-02-19 15:29:15.187973000 -0600
@@ -126,6 +126,7 @@#define GUC_DISALLOW_IN_FILE    0x0040    /* can't set in postgresql.conf */#define
GUC_CUSTOM_PLACEHOLDER   0x0080    /* placeholder for custom variable */#define GUC_SUPERUSER_ONLY        0x0100    /*
showonly to superusers */
 
+#define GUC_IS_NAME            0x0200  /* limit string to NAMEDATALEN-1 *//* bit values in status field */#define
GUC_HAVE_TENTATIVE   0x0001        /* tentative value is defined */
 
Index: src/backend/utils/misc/guc.c
===================================================================
--- src/backend/utils/misc/guc.c.orig    2005-11-22 12:23:24.000000000 -0600
+++ src/backend/utils/misc/guc.c    2006-02-19 15:30:21.625766000 -0600
@@ -48,6 +48,7 @@#include "optimizer/prep.h"#include "parser/parse_expr.h"#include "parser/parse_relation.h"
+#include "parser/scansup.h"#include "postmaster/autovacuum.h"#include "postmaster/bgwriter.h"#include
"postmaster/syslogger.h"
@@ -1662,7 +1663,7 @@        {"client_encoding", PGC_USERSET, CLIENT_CONN_LOCALE,            gettext_noop("Sets the
client'scharacter set encoding."),            NULL,
 
-            GUC_REPORT
+            GUC_IS_NAME | GUC_REPORT        },        &client_encoding_string,        "SQL_ASCII",
assign_client_encoding,NULL
 
@@ -1742,7 +1743,8 @@    {        {"default_tablespace", PGC_USERSET, CLIENT_CONN_STATEMENT,
gettext_noop("Setsthe default tablespace to create tables and indexes in."),
 
-            gettext_noop("An empty string selects the database's default tablespace.")
+            gettext_noop("An empty string selects the database's default tablespace."),
+             GUC_IS_NAME        },        &default_tablespace,        "", assign_default_tablespace, NULL
@@ -1900,7 +1902,7 @@        {"server_encoding", PGC_INTERNAL, CLIENT_CONN_LOCALE,            gettext_noop("Sets the
server(database) character set encoding."),            NULL,
 
-            GUC_REPORT | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
+            GUC_IS_NAME | GUC_REPORT | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE        },
&server_encoding_string,       "SQL_ASCII", NULL, NULL
 
@@ -1922,7 +1924,7 @@        {"role", PGC_USERSET, UNGROUPED,            gettext_noop("Sets the current role."),
   NULL,
 
-            GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
+            GUC_IS_NAME | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE        },
 &role_string,        "none", assign_role, show_role
 
@@ -1933,7 +1935,7 @@        {"session_authorization", PGC_USERSET, UNGROUPED,            gettext_noop("Sets the
sessionuser name."),            NULL,
 
-            GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
+            GUC_IS_NAME | GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
    },        &session_authorization_string,        NULL, assign_session_authorization, show_session_authorization
 
@@ -3934,6 +3936,12 @@                    newval = guc_strdup(elevel, value);                    if (newval == NULL)
                   return false;
 
+                    /*
+                     * The only sort of "parsing" check we need to do is
+                     * apply truncation if GUC_IS_NAME.
+                     */
+                    if (conf->gen.flags & GUC_IS_NAME)
+                        truncate_identifier(newval, strlen(newval), true);                }                else if
(conf->reset_val)               {
 
Index: src/backend/utils/mb/encnames.c
===================================================================
--- src/backend/utils/mb/encnames.c.orig    2005-10-14 21:49:33.000000000 -0500
+++ src/backend/utils/mb/encnames.c    2006-02-19 15:35:15.559558000 -0600
@@ -449,7 +449,7 @@    if (name == NULL || *name == '\0')        return NULL;
-    if (strlen(name) > NAMEDATALEN)
+    if (strlen(name) >= NAMEDATALEN)    {#ifdef FRONTEND        fprintf(stderr, "encoding name too long\n");


Re: Fix to CVE-2006-0553 for 8.1.1

From
Tom Lane
Date:
Albert Chin <pgsql-hackers@mlists.thewrittenword.com> writes:
> Does the patch below look like the correct fix to CVE-2006-0553 if
> running 8.1.1?

Why in the world would you not install 8.1.3 instead?  Or are you hoping
to get burnt by one of the *other* bugs in 8.1.1?
        regards, tom lane


Re: Fix to CVE-2006-0553 for 8.1.1

From
Albert Chin
Date:
On Sun, Feb 19, 2006 at 05:14:32PM -0500, Tom Lane wrote:
> Albert Chin <pgsql-hackers@mlists.thewrittenword.com> writes:
> > Does the patch below look like the correct fix to CVE-2006-0553 if
> > running 8.1.1?
> 
> Why in the world would you not install 8.1.3 instead?  Or are you hoping
> to get burnt by one of the *other* bugs in 8.1.1?

We've already deployed 8.1.1 to some customers. We will offer 8.1.3
but if they want to upgrade 8.1.1 to fix the security issue, we want
this to be an option.

-- 
albert chin (china@thewrittenword.com)


Re: Fix to CVE-2006-0553 for 8.1.1

From
Tom Lane
Date:
Albert Chin <pgsql-hackers@mlists.thewrittenword.com> writes:
> On Sun, Feb 19, 2006 at 05:14:32PM -0500, Tom Lane wrote:
>> Why in the world would you not install 8.1.3 instead?  Or are you hoping
>> to get burnt by one of the *other* bugs in 8.1.1?

> We've already deployed 8.1.1 to some customers. We will offer 8.1.3
> but if they want to upgrade 8.1.1 to fix the security issue, we want
> this to be an option.

You want an option to leave data-loss-causing bugs unfixed, eh?  Make
sure you make those customers sign a disclaimer that it's their fault
not yours when the ReadBuffer bug eats their data.
        regards, tom lane