From: | Noah Misch <noah(at)leadboat(dot)com> |
---|---|
To: | Christoph Berg <cb(at)df7cb(dot)de> |
Cc: | pgsql-hackers(at)postgresql(dot)org, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Peter Eisentraut <peter_e(at)gmx(dot)net> |
Subject: | Re: Securing "make check" (CVE-2014-0067) |
Date: | 2014-07-08 17:41:25 |
Message-ID: | 20140708174125.GA1884766@tornado.leadboat.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, Jul 08, 2014 at 07:02:04PM +0200, Christoph Berg wrote:
> Re: Noah Misch 2014-06-08 <20140608135713(dot)GA525142(at)tornado(dot)leadboat(dot)com>
> > Here's an update that places the socket in a temporary subdirectory of /tmp.
> > The first attached patch adds NetBSD mkdtemp() to libpgport. The second,
> > principal, patch uses mkdtemp() to implement this design in pg_regress. The
> > corresponding change to contrib/pg_upgrade/test.sh is based on the "configure"
> > script's arrangements for its temporary directory.
>
> Hi,
>
> I believe pg_upgrade itself still needs a fix. While it's not a
> security problem to put the socket in $CWD while upgrading (it is
> using -c unix_socket_permissions=0700), this behavior is pretty
> unexpected, and does fail if your $CWD is > 107 bytes.
>
> In f545d233ebce6971b6f9847680e48b679e707d22 Peter fixed the pg_ctl
> perl tests to avoid that problem, so imho it would make even more
> sense to fix pg_upgrade which could also fail in production.
+1. Does writing that patch interest you?
--
Noah Misch
EnterpriseDB http://www.enterprisedb.com
From | Date | Subject | |
---|---|---|---|
Next Message | Christoph Berg | 2014-07-08 18:21:48 | Re: Securing "make check" (CVE-2014-0067) |
Previous Message | Josh Berkus | 2014-07-08 17:13:58 | Re: postgresql.auto.conf and reload |