Re: CVE-2016-1238 fix breaks (at least) pg_rewind tests

From: Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>
To: Andres Freund <andres(at)anarazel(dot)de>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: CVE-2016-1238 fix breaks (at least) pg_rewind tests
Date: 2016-09-08 21:13:06
Message-ID: 20160908211306.GA61403@alvherre.pgsql
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

Andres Freund wrote:
> On 2016-09-08 17:58:03 -0300, Alvaro Herrera wrote:
> > Andres Freund wrote:
> >
> > > ISTM that the easiest fix is to just tack -I '$(srcdir)' into the prove
> > > flags like:
> > > PROVE = @PROVE@
> > > PG_PROVE_FLAGS = -I $(top_srcdir)/src/test/perl/ -I '$(srcdir)'
> > > PROVE_FLAGS = --verbose
> > >
> > > I don't think there's any security concerns for us here.
> >
> > Maybe not, but we could just as well use -I$(top_srcdir)/src/test/perl
> > and not have to think about it.
> That doesn't fix the issue - RewindTest is in src/bin/pg_rewind for
> example. There's already an -I for /src/test/perl.

Doh, you're right. And we have a .pm in src/test/ssl too, which I
assume you didn't catch only because the ssl test is not run by default.

I suppose -I$(srcdir) should be fine. (Why the quotes?)

> > But we have other .pm's ... are there other things that would break once
> > the fix for that problem propagates? I think the msvc stuff will break,
> > for one.
> check-world appears to mostly run (still doing so, but it's mostly
> through everything relevant). I can't vouch for the windows stuff, and
> the invocations indeed look vulnerable. I'm not sure if hte fix actually
> matters on windows, given . is the default for pretty much everything
> there.

Well, maybe it doesn't matter now but as I understand the fix is going
to enter the next stable upstream perl, so it'll fail eventually. It'd
be saner to just fix the thing completely so that we can forget about

Álvaro Herrera
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2016-09-08 21:21:25 Re: Add support for restrictive RLS policies
Previous Message Михаил Бахтерев 2016-09-08 21:10:51 Re: GiST penalty functions [PoC]