| From: | "Ken Ashcraft" <ken(at)coverity(dot)com> |
|---|---|
| To: | "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Probably security hole in postgresql-7.4.1 |
| Date: | 2004-05-13 08:46:27 |
| Message-ID: | 4809.171.64.70.173.1084437987.spork@webmail.coverity.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> Ken Ashcraft <ken(at)coverity(dot)com> writes:
>> I work at Coverity where we use static analysis to find bugs in
>> software. I ran a security checker over postgresql-7.4.1 and I think I
>> found a security hole.
>>
>> In the code below, fld_size gets copied in from a user specified file.
>> It is passed as the 'needed' parameter to enlargeStringInfo(). If
>> needed is a very large positive value, the addition 'needed += str->len
>> + 1;' could cause an overflow, making needed a negative number.
>
> I've applied a patch that fixes this issue, as well as the related one
> that enlargeStringInfo could go into an infinite loop.
>
> Although the path of control you identify doesn't seem very threatening
> (since one must already be superuser to execute COPY from a file), the
> same sort of problem could be triggered by sending a malformed data
> packet, thus opening up the problem to anyone who can get past the
> initial postmaster authentication check. So this is more severe than we
> first thought.
>
Great. Thanks for the feedback. If it is serious, is an advisory in order?
Ken
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Larry Rosenman | 2004-05-13 08:56:13 | Re: threads stuff/UnixWare |
| Previous Message | Jean-Michel POURE | 2004-05-13 08:45:39 | Re: Rough draft for Unicode-aware UPPER()/LOWER()/INITCAP() |