| From: | Neil Conway <neilc(at)samurai(dot)com> |
|---|---|
| To: | Neil Conway <neilc(at)samurai(dot)com> |
| Cc: | Sir Mordred The Traitor <mordred(at)s-mail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: @(#)Mordred Labs advisory 0x0002: Buffer overflow in PostgreSQL |
| Date: | 2002-08-21 17:41:32 |
| Message-ID: | 87y9b0m7n7.fsf@mailbox.samurai.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Neil Conway <neilc(at)samurai(dot)com> writes:
> Sir Mordred The Traitor <mordred(at)s-mail(dot)com> writes:
> > There exists a buffer overflow in a SET TIME ZONE command, that
> > allows an attacker to execute malicious code.
>
> Here's a patch for the problem. I also fixed some other potential
> buffer overruns nearby, and added a little paranoia to another routine
> that uses a statically sized buffer.
The handling of the TZ environmental variable is subject to a buffer
overrun. To see the problem, try:
export TZ=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
postmaster -D /foo/bar&
psql
You get:
NOTICE: Buffer Leak: [26914] (freeNext=0, freePrev=0, rel=0/0, blockNum=0, flags=0x0, refcount=0 1)
[ lots more NOTICEs ]
psql: server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.
A revised patch is attached that fixes the problem.
Cheers,
Neil
--
Neil Conway <neilc(at)samurai(dot)com> || PGP Key ID: DB3C29FC
| Attachment | Content-Type | Size |
|---|---|---|
| set_time_zone-4.patch | text/x-patch | 6.6 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Marc G. Fournier | 2002-08-21 17:47:26 | Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in |
| Previous Message | Zeugswetter Andreas SB SD | 2002-08-21 17:39:12 | Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in |