|From:||Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>|
|To:||Andres Freund <andres(at)anarazel(dot)de>|
|Subject:||Re: CVE-2016-1238 fix breaks (at least) pg_rewind tests|
|Views:||Raw Message | Whole Thread | Download mbox | Resend email|
Andres Freund wrote:
> On 2016-09-08 17:58:03 -0300, Alvaro Herrera wrote:
> > Andres Freund wrote:
> > > ISTM that the easiest fix is to just tack -I '$(srcdir)' into the prove
> > > flags like:
> > > PROVE = @PROVE@
> > > PG_PROVE_FLAGS = -I $(top_srcdir)/src/test/perl/ -I '$(srcdir)'
> > > PROVE_FLAGS = --verbose
> > >
> > > I don't think there's any security concerns for us here.
> > Maybe not, but we could just as well use -I$(top_srcdir)/src/test/perl
> > and not have to think about it.
> That doesn't fix the issue - RewindTest is in src/bin/pg_rewind for
> example. There's already an -I for /src/test/perl.
Doh, you're right. And we have a .pm in src/test/ssl too, which I
assume you didn't catch only because the ssl test is not run by default.
I suppose -I$(srcdir) should be fine. (Why the quotes?)
> > But we have other .pm's ... are there other things that would break once
> > the fix for that problem propagates? I think the msvc stuff will break,
> > for one.
> check-world appears to mostly run (still doing so, but it's mostly
> through everything relevant). I can't vouch for the windows stuff, and
> the invocations indeed look vulnerable. I'm not sure if hte fix actually
> matters on windows, given . is the default for pretty much everything
Well, maybe it doesn't matter now but as I understand the fix is going
to enter the next stable upstream perl, so it'll fail eventually. It'd
be saner to just fix the thing completely so that we can forget about
Álvaro Herrera http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
|Next Message||Tom Lane||2016-09-08 21:21:25||Re: Add support for restrictive RLS policies|
|Previous Message||Михаил Бахтерев||2016-09-08 21:10:51||Re: GiST penalty functions [PoC]|