Fix to CVE-2006-0553 for 8.1.1
| От | Albert Chin |
|---|---|
| Тема | Fix to CVE-2006-0553 for 8.1.1 |
| Дата | |
| Msg-id | 20060219213807.GB93931@mail1.thewrittenword.com обсуждение исходный текст |
| Ответы |
Re: Fix to CVE-2006-0553 for 8.1.1
(Tom Lane <tgl@sss.pgh.pa.us>)
|
| Список | pgsql-hackers |
Does the patch below look like the correct fix to CVE-2006-0553 if
running 8.1.1? I just scanned cvs log from the 8.1 branch, looking for
CVE-2006-0553 and picked out the diffs.
--
albert chin (china@thewrittenword.com)
-- snip snip
Index: src/backend/commands/variable.c
===================================================================
--- src/backend/commands/variable.c.orig 2005-11-22 12:23:08.000000000 -0600
+++ src/backend/commands/variable.c 2006-02-19 15:24:40.540106000 -0600
@@ -586,7 +586,9 @@ * by the numeric oid, followed by a comma, followed by the role name. * This cannot be confused
witha plain role name because of the NAMEDATALEN * limit on names, so we can tell whether we're being passed an
initial
- * role name or a saved/restored value.
+ * role name or a saved/restored value. (NOTE: we rely on guc.c to have
+ * properly truncated any incoming value, but not to truncate already-stored
+ * values. See GUC_IS_NAME processing.) */extern char *session_authorization_string; /* in guc.c */
Index: src/include/utils/guc_tables.h
===================================================================
--- src/include/utils/guc_tables.h.orig 2005-07-14 00:13:44.000000000 -0500
+++ src/include/utils/guc_tables.h 2006-02-19 15:29:15.187973000 -0600
@@ -126,6 +126,7 @@#define GUC_DISALLOW_IN_FILE 0x0040 /* can't set in postgresql.conf */#define
GUC_CUSTOM_PLACEHOLDER 0x0080 /* placeholder for custom variable */#define GUC_SUPERUSER_ONLY 0x0100 /*
showonly to superusers */
+#define GUC_IS_NAME 0x0200 /* limit string to NAMEDATALEN-1 *//* bit values in status field */#define
GUC_HAVE_TENTATIVE 0x0001 /* tentative value is defined */
Index: src/backend/utils/misc/guc.c
===================================================================
--- src/backend/utils/misc/guc.c.orig 2005-11-22 12:23:24.000000000 -0600
+++ src/backend/utils/misc/guc.c 2006-02-19 15:30:21.625766000 -0600
@@ -48,6 +48,7 @@#include "optimizer/prep.h"#include "parser/parse_expr.h"#include "parser/parse_relation.h"
+#include "parser/scansup.h"#include "postmaster/autovacuum.h"#include "postmaster/bgwriter.h"#include
"postmaster/syslogger.h"
@@ -1662,7 +1663,7 @@ {"client_encoding", PGC_USERSET, CLIENT_CONN_LOCALE, gettext_noop("Sets the
client'scharacter set encoding."), NULL,
- GUC_REPORT
+ GUC_IS_NAME | GUC_REPORT }, &client_encoding_string, "SQL_ASCII",
assign_client_encoding,NULL
@@ -1742,7 +1743,8 @@ { {"default_tablespace", PGC_USERSET, CLIENT_CONN_STATEMENT,
gettext_noop("Setsthe default tablespace to create tables and indexes in."),
- gettext_noop("An empty string selects the database's default tablespace.")
+ gettext_noop("An empty string selects the database's default tablespace."),
+ GUC_IS_NAME }, &default_tablespace, "", assign_default_tablespace, NULL
@@ -1900,7 +1902,7 @@ {"server_encoding", PGC_INTERNAL, CLIENT_CONN_LOCALE, gettext_noop("Sets the
server(database) character set encoding."), NULL,
- GUC_REPORT | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
+ GUC_IS_NAME | GUC_REPORT | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE },
&server_encoding_string, "SQL_ASCII", NULL, NULL
@@ -1922,7 +1924,7 @@ {"role", PGC_USERSET, UNGROUPED, gettext_noop("Sets the current role."),
NULL,
- GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
+ GUC_IS_NAME | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE },
&role_string, "none", assign_role, show_role
@@ -1933,7 +1935,7 @@ {"session_authorization", PGC_USERSET, UNGROUPED, gettext_noop("Sets the
sessionuser name."), NULL,
- GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
+ GUC_IS_NAME | GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
}, &session_authorization_string, NULL, assign_session_authorization, show_session_authorization
@@ -3934,6 +3936,12 @@ newval = guc_strdup(elevel, value); if (newval == NULL)
return false;
+ /*
+ * The only sort of "parsing" check we need to do is
+ * apply truncation if GUC_IS_NAME.
+ */
+ if (conf->gen.flags & GUC_IS_NAME)
+ truncate_identifier(newval, strlen(newval), true); } else if
(conf->reset_val) {
Index: src/backend/utils/mb/encnames.c
===================================================================
--- src/backend/utils/mb/encnames.c.orig 2005-10-14 21:49:33.000000000 -0500
+++ src/backend/utils/mb/encnames.c 2006-02-19 15:35:15.559558000 -0600
@@ -449,7 +449,7 @@ if (name == NULL || *name == '\0') return NULL;
- if (strlen(name) > NAMEDATALEN)
+ if (strlen(name) >= NAMEDATALEN) {#ifdef FRONTEND fprintf(stderr, "encoding name too long\n");
В списке pgsql-hackers по дате отправления: