On 2009-05-05, Sikkerhed.org ApS <support@sikkerhed.org> wrote:
>
> The following bug has been logged online:
>
> Bug reference: 4791
> Logged by: Sikkerhed.org ApS
> Email address: support@sikkerhed.org
> PostgreSQL version: 8.3.7-0lenny1
> Operating system: Debian GNU/Linux 5.0.1 stable (fully updated)
> Description: NULL value in function causes reproducible segmentation
> fault
> Details:
>
> We are using a couple of functions in PostgreSQL, namely
>
> CREATE OR REPLACE FUNCTION digest(text, text) RETURNS bytea AS
> '$libdir/pgcrypto', 'pg_digest' LANGUAGE 'C';
>
> CREATE OR REPLACE FUNCTION sha1(text) RETURNS text AS 'SELECT
> ENCODE(DIGEST($1, ''sha1''), ''hex'') AS result' LANGUAGE 'SQL';
>
>
> We experienced a bad crash on our production server, and narrowed it down to
> a reproducible test case.
>
> The following query will crash the server every time:
>
> SELECT SHA1(NULL);
>
> Please let us know if you require more information.
AFAICT this exploits a documented feature of the 'C' language, namely
if you crash the C the backend is compromised.
the fix is easy:
CREATE OR REPLACE FUNCTION digest(text, text) RETURNS bytea AS
'$libdir/pgcrypto', 'pg_digest' LANGUAGE 'C'
RETURNS NULL ON NULL INPUT ;