From: | Greg Copeland <greg(at)CopelandConsulting(dot)Net> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Justin Clift <justin(at)postgresql(dot)org>, Florian Weimer <Weimer(at)CERT(dot)Uni-Stuttgart(dot)DE>, PostgresSQL Hackers Mailing List <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [SECURITY] DoS attack on backend possible (was: Re: |
Date: | 2002-08-12 13:24:16 |
Message-ID: | 1029158657.25246.21.camel@mouse.copelandconsulting.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-committers pgsql-hackers |
Well, if it's a buffer overrun, there is certainly potential for risks
well beyond that of simply crashing the "be". It's certainly possible
that a simple bug in one cgi script or web site could allow someone to
execute code on the database host because of this bug. Assuming they
are running the "be" as "postgres" or some other seemingly harmless
user, it's still possible that complete destruction of any and all
databases which are hosted and accessible by this user can be utterly
destroyed or miscellaneously corrupted.
Buffer over runs should be treated with the up most urgency and
respect. IMO, any known buffer overrun is worthy of an emergency fix
and corresponding advisory.
Greg Copeland
On Sun, 2002-08-11 at 12:09, Tom Lane wrote:
> Justin Clift <justin(at)postgresql(dot)org> writes:
> > Am I understanding this right:
> > - A PostgreSQL 7.2.1 server can be crashed if it gets passed certain
> > date values which would be accepted by standard "front end" parsing?
>
> AFAIK it's a buffer overrun issue, so anything that looks like a
> reasonable date would *not* cause the problem.
>
> regards, tom lane
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/users-lounge/docs/faq.html
From | Date | Subject | |
---|---|---|---|
Next Message | Florian Weimer | 2002-08-12 13:48:10 | Re: [SECURITY] DoS attack on backend possible (was: Re: |
Previous Message | Gerhard Hintermayer | 2002-08-12 09:16:35 | libpgtcl modifications |
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Meskes | 2002-08-12 13:26:03 | Strange bahaviour |
Previous Message | Gavin Sherry | 2002-08-12 08:27:27 | Re: [SECURITY] DoS attack on backend possible (was: Re: |