| From: | teg(at)redhat(dot)com (Trond Eivind =?iso-8859-1?q?Glomsr=F8d?=) |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Tatsuo Ishii <t-ishii(at)sra(dot)co(dot)jp>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: a vulnerability in PostgreSQL |
| Date: | 2002-05-03 19:50:37 |
| Message-ID: | xuyhelp80z6.fsf@halden.devel.redhat.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> writes:
> Tatsuo Ishii <t-ishii(at)sra(dot)co(dot)jp> writes:
> > Here are the precise conditions to trigger the scenario:
>
> > (1) the backend is PostgreSQL 6.5.x
> > (2) multibyte support is enabled (--enable-multibyte)
> > (3) the database encoding is SQL_ASCII (other encodings are not
> > affected by the bug).
> > (4) the client encoding is set to other than SQL_ASCII
>
> > I think I am responsible for this since I originally wrote the
> > code. Sorry for this. I'm going to make back port patches to fix the
> > problem for pre 7.2 versions.
>
> It doesn't really seem worth the trouble to make patches for 6.5.x.
> If someone hasn't upgraded yet, they aren't likely to install patches
> either. (ISTR there are other known security risks in 6.5, anyway.)
> If the problem is fixed in 7.0 and later, why not just tell people to
> upgrade?
Postgresql doesn't support upgrades[1], so if we're going to release
upgrades[2], we'd need the backported fixes for 6.5, 7.0 and 7.1
[1] Not the first time I mention this, is it?
[2] We got lucky - 6.5.x is not compiled with multibyte support.
--
Trond Eivind Glomsrød
Red Hat, Inc.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2002-05-03 20:44:31 | Re: Compilation failed when --with-recode specified (patch) |
| Previous Message | Tom Lane | 2002-05-03 19:42:08 | Re: set constraints behavior |