Re: Securing "make check" (CVE-2014-0067)

Re: Noah Misch 2014-06-08 <20140608135713(dot)GA525142(at)tornado(dot)leadboat(dot)com>
> Here's an update that places the socket in a temporary subdirectory of /tmp.
> The first attached patch adds NetBSD mkdtemp() to libpgport. The second,
> principal, patch uses mkdtemp() to implement this design in pg_regress. The
> corresponding change to contrib/pg_upgrade/test.sh is based on the "configure"
> script's arrangements for its temporary directory.

Hi,

I believe pg_upgrade itself still needs a fix. While it's not a
security problem to put the socket in $CWD while upgrading (it is
using -c unix_socket_permissions=0700), this behavior is pretty
unexpected, and does fail if your $CWD is > 107 bytes.

In f545d233ebce6971b6f9847680e48b679e707d22 Peter fixed the pg_ctl
perl tests to avoid that problem, so imho it would make even more
sense to fix pg_upgrade which could also fail in production.

This has been discussed here and elsewhere [1] before, but was
rejected as not being in line what the other utilities do, but now
pg_upgrade is the lone outlier. Noah's changes let Debian drop 4 out
of 5 pg_regress-sockdir patches, having this fixed would also let us
get rid of the last one [2].

[1] http://lists.debian.org/debian-wb-team/2013/05/msg00015.html
[2] https://alioth.debian.org/scm/loggerhead/pkg-postgresql/postgresql-9.5/trunk/view/head:/debian/patches/64-pg_upgrade-sockdir

Christoph
--
cb(at)df7cb(dot)de | http://www.df7cb.de/