Re: Probably security hole in postgresql-7.4.1

Tom Lane wrote:

>Shachar Shemesh <psql(at)shemesh(dot)biz> writes:
>
>
>>Also, has anybody checked what other versions are affected?
>>
>>
>
>Nothing before 7.4, at least by the known implications of this issue.
>Again, if we wait a while and let Ken keep running his analysis tool,
>he might turn up other stuff we need to fix. Maybe even stuff that
>needs a fix much worse than this does.
>
>
>
and also

>I frankly think that this discussion is emblematic of all the worst
>tendencies of the security community. Have you forgotten the fable
>about the boy who cried "wolf"?
>
>
I totally agree. That's why I suggested preventing the automatic public
disclosure for Ken's next bugs, as well as anyone else's. This way, if
we do need a few extra days, we can have them while still limiting the
window of exposure.

>I repeat: in my estimation this is not a bug that needs a fix yesterday.
>AFAICS it would be very difficult to cause more than a nuisance DOS with
>it, and there are plenty of other ways for authenticated database users
>to cause those.
>
>
I'm sorry. Maybe it's spending too many years in the security industry
(I've been Check Point's "oh my god we have a security problem" process
manager for over two years). Maybe it's knowing how to actually exploit
these problems. Maybe it's just seeing many of the good guys (OpenBSD's
Theo included) fall flat on their faces after saying "This is a DoS
only". In my book, a buffer overrun=arbitrary code execution.

For a now famous example of a bug declared "non exploitable", followed
by an exploit, see http://www.theinquirer.net/?article=4053. I have been
on the mailing lists at the time. The problem was declared
"unexploitable on i386" by some of the best known names in the security
industry of the time.

> regards, tom lane
>
>
Please. I'm not saying "Release now". I'm saying "get a mechanism for
smarter handling of future events".

Shachar

--
Shachar Shemesh
Lingnu Open Source Consulting
http://www.lingnu.com/