Re: Probably security hole in postgresql-7.4.1

From: Bruno Wolff III <bruno(at)wolff(dot)to>
To: Shachar Shemesh <psql(at)shemesh(dot)biz>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Probably security hole in postgresql-7.4.1
Date: 2004-05-12 21:36:14
Message-ID: 20040512213614.GA6346@wolff.to
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Wed, May 12, 2004 at 23:36:49 +0300,
Shachar Shemesh <psql(at)shemesh(dot)biz> wrote:
>
> My take on this is different. To me, a DoS is a nuisance, but an
> arbitrary code execution vulnerability means information leak, and a
> major escalation (from which further escalation may be possible).

A DOS is generally more than a nuisance in production environments.
In most cases you aren't going to be giving direct access to your DB
to people that aren't fairly trusted. The exception may be some of
the web hosting places that provide DB backed web pages.

> Not to mention being another chain.

This isn't very significant as you have to authenticate to the DB first
to exploit it. That's a lot less of a problem than something directly
accessible by anyone from the net such as a web server.

> Ok. How about an official patch against 7.4.2 that fixes it, so that
> packagers can make their own informed decision. Also, has anybody
> checked what other versions are affected? Is 7.3? 7.2? Some people can't
> afford to upgrade due to data inconsistancy.

Hasn't it already been committed to 7.4 stable? If so, just grab an update
from CVS.

Something should probably be done about 7.2 and 7.3 if the same bug exists
in those versions. Nobody should be running anything earlier than that.

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Shachar Shemesh 2004-05-12 21:54:19 Re: Probably security hole in postgresql-7.4.1
Previous Message Manfred Spraul 2004-05-12 21:32:14 Re: Linux 2.6.6 also