On 03/03/2014 02:00 AM, Tom Lane wrote:
> Josh Berkus <josh@agliodbs.com> writes:
>> The only way I can see this being of real use to an attacker is if they
>> could use this exploit to create a wormed version of PostgresQL on the
>> target build system. Is that possible?
> It's theoretically possible, since having broken into the build user's
> account they could modify the already-built-but-not-yet-packaged PG
> executables.
>
> Having said that, though, I concur with the feeling that this probably
> isn't a useful exploit in practice. On Red Hat's build systems, for
> example, different packages are built in different chroots. So even if
> a malicious package is being built concurrently, it could not reach the
> postmaster's socket. A breakin would only be possible for somebody who
> had outside-the-chroots control of the build machine ... in which case
> they can hack pretty much any built package pretty much any way they
> want, without need for anything as fiddly as this.
>
> Other vendors might do things differently, but it still seems likely
> that there would be easier exploits available to anyone who's managed
> to get control on a machine used for package building.
>
>
I'm less worried about vendor build systems and more about roll your own
systems like Gentoo, FreeBSD ports, and Homebrew.
cheers
andrew