From: | "Marc G(dot) Fournier" <scrappy(at)hub(dot)org> |
---|---|
To: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
Cc: | Gavin Sherry <swm(at)linuxworld(dot)com(dot)au>, Neil Conway <neilc(at)samurai(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [GENERAL] PostgreSQL 7.2.2: Security Release |
Date: | 2002-08-26 02:16:41 |
Message-ID: | 20020825231423.I32477-100000@mail1.hub.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-announce pgsql-general pgsql-hackers |
On Sun, 25 Aug 2002, Bruce Momjian wrote:
>
> OK, I understand your point. What do we need to do now that the
> announcement has already been made?
I'm still slightly confused here ... from what Neil/Gavin have stated so
far, all it sounds like is that if I pass a wrong date/time string, it
will crash the backend ... or is this what I'm missing?
>
> ---------------------------------------------------------------------------
>
> Gavin Sherry wrote:
> > On Sat, 24 Aug 2002, Bruce Momjian wrote:
> >
> > >
> > > The issue is data-provoked crashes vs. query-invoked crashes. Marc's
> > > point, and I think it was clear enough, is that you can't just poke at
> > > the TCP port and hope to do anything bad, which was the thrust of the
> > > argument, I think.
> >
> > Bruce,
> >
> > I am convinced that someone with enough time on their hands and some code
> > pointed to by Florian Weimer could exploit the datetime overrun issue by
> > crafting a datetime string in such a way as to overrun the buffer and
> > smash the stack.
> >
> > In applications which pass date/time data directly to the database without
> > any validation (is this datetime string greater than 52 bytes? does it
> > look like a date/time string?) then a malicious user without direct
> > database access could crash the database by taking advantage of the short
> > comings in Postgres and the application.
> >
> > As such, I would recommend all people who offer direct access to the
> > database and/or have applications which user date/time data
> > types/functionality to upgrade to 7.2.2.
> >
> > Gavin
> >
> >
> >
> > ---------------------------(end of broadcast)---------------------------
> > TIP 5: Have you checked our extensive FAQ?
> >
> > http://www.postgresql.org/users-lounge/docs/faq.html
> >
>
> --
> Bruce Momjian | http://candle.pha.pa.us
> pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
> + If your life is a hard drive, | 13 Roberts Road
> + Christ can be your backup. | Newtown Square, Pennsylvania 19073
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
> (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)
>
From | Date | Subject | |
---|---|---|---|
Next Message | Christopher Kings-Lynne | 2002-08-26 05:06:48 | Re: [GENERAL] PostgreSQL 7.2.2: Security Release |
Previous Message | Bruce Momjian | 2002-08-25 14:34:29 | Re: [GENERAL] PostgreSQL 7.2.2: Security Release |
From | Date | Subject | |
---|---|---|---|
Next Message | Stephan Szabo | 2002-08-26 03:41:40 | Re: Controling Rule's Firing Order |
Previous Message | Bruce Momjian | 2002-08-26 00:51:35 | Re: Solved! MacOS X and external functions |
From | Date | Subject | |
---|---|---|---|
Next Message | Thomas O'Dowd | 2002-08-26 02:27:12 | Re: Deadlock situation using foreign keys (reproduceable) |
Previous Message | Tatsuo Ishii | 2002-08-26 02:08:50 | PostgreSQL 7.2.2 and docs |