Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitaa27464

Browse files
committed
Prevent execution of enum_recv() from SQL.
This function was misdeclared to take cstring when it should take internal.This at least allows crashing the server, and in principle an attackermight be able to use the function to examine the contents of server memory.The correct fix is to adjust the system catalog contents (and fix theregression tests that should have caught this but failed to). However,asking users to correct the catalog contents in existing installationsis a pain, so as a band-aid fix for the back branches, install a checkin enum_recv() to make it throw error if called with a cstring argument.We will later revert this in HEAD in favor of correcting the catalogs.Our thanks to Sumit Soni (via Secunia SVCRP) for reporting this issue.Security:CVE-2013-0255
1 parentfea6323 commitaa27464

File tree

2 files changed

+18
-0
lines changed

2 files changed

+18
-0
lines changed

‎doc/src/sgml/release-8.3.sgml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,19 @@
4040

4141
<itemizedlist>
4242

43+
<listitem>
44+
<para>
45+
Prevent execution of <function>enum_recv</> from SQL (Tom Lane)
46+
</para>
47+
48+
<para>
49+
The function was misdeclared, allowing a simple SQL command to crash the
50+
server. In principle an attacker might be able to use it to examine the
51+
contents of server memory. Our thanks to Sumit Soni (via Secunia SVCRP)
52+
for reporting this issue. (CVE-2013-0255)
53+
</para>
54+
</listitem>
55+
4356
<listitem>
4457
<para>
4558
Fix SQL grammar to allow subscripting or field selection from a

‎src/backend/utils/adt/enum.c

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@
1414
#include"postgres.h"
1515

1616
#include"catalog/pg_enum.h"
17+
#include"catalog/pg_type.h"
1718
#include"fmgr.h"
1819
#include"utils/array.h"
1920
#include"utils/builtins.h"
@@ -99,6 +100,10 @@ enum_recv(PG_FUNCTION_ARGS)
99100
char*name;
100101
intnbytes;
101102

103+
/* guard against pre-9.3 misdeclaration of enum_recv */
104+
if (get_fn_expr_argtype(fcinfo->flinfo,0)==CSTRINGOID)
105+
elog(ERROR,"invalid argument for enum_recv");
106+
102107
name=pq_getmsgtext(buf,buf->len-buf->cursor,&nbytes);
103108

104109
/* must check length to prevent Assert failure within SearchSysCache */

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp