Re: Zlib vulnerability heads-up.
| От | John Gray |
|---|---|
| Тема | Re: Zlib vulnerability heads-up. |
| Дата | |
| Msg-id | 1015953519.751.7.camel@adzuki обсуждение исходный текст |
| Ответ на | Zlib vulnerability heads-up. (Lamar Owen <lamar.owen@wgcr.org>) |
| Список | pgsql-hackers |
On Tue, 2002-03-12 at 16:05, Lamar Owen wrote: > As PostgreSQL uses the zlib library (for TOAST?), this is a headsup that a > bug has been found in the zlib library that could cause data corruption or a > security breach. > True enough, ldd on my system says that postgres is linked against zlib, but I knew that TOAST didn't use it (it uses src/backend/utils/adt/pg_lzcompress.c), so what does? After a quick look, I offer the following summary: "zlib" is listed as a loadable module in PL/Python (but I don't know whether this is related to the same zlib at all) zlib.h *is* used by the "custom" format of pg_dump. Maybe I'm missing something, though - I just did a grep for "zlib" and HAVE_LIBZ through the source. This also suggests that the postgres backend needn't be linked against zlib at all, if pg_dump is the only utility using it. The risk from this vulnerability is that someone receiving a dump in custom format and using pg_restore on it might be at risk of a trojan attack - but this seems like a very slim risk (how many people would attempt to load a data dump from an untrusted source into their DB?). Nonetheless, it's useful to know this (and it also means I've spotted the (possibly) unnecessary library link :) Regards John
В списке pgsql-hackers по дате отправления: