Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package plv8. The new version fixes a security problem. diff -Nru plv8-1.4.8.ds/debian/changelog plv8-1.4.9.ds/debian/changelog --- plv8-1.4.8.ds/debian/changelog 2017-01-14 21:15:06.000000000 +0100 +++ plv8-1.4.9.ds/debian/changelog 2017-03-22 19:01:08.000000000 +0100 @@ -1,3 +1,9 @@ +plv8 (1:1.4.9.ds-1) unstable; urgency=medium + + * Security bugfix release: Check for permission to call functions. + + -- Christoph Berg <m...@debian.org> Wed, 22 Mar 2017 19:01:08 +0100 + plv8 (1:1.4.8.ds-3) unstable; urgency=medium * Remove Evgeni from Uploaders. Thanks! diff -Nru plv8-1.4.8.ds/expected/startup.out plv8-1.4.9.ds/expected/startup.out --- plv8-1.4.8.ds/expected/startup.out 2013-06-20 16:49:58.000000000 +0200 +++ plv8-1.4.9.ds/expected/startup.out 2017-03-22 19:01:01.000000000 +0100 @@ -1,7 +1,7 @@ -- test startup failure set plv8.start_proc = foo; do $$ plv8.elog(NOTICE, 'foo = ' + foo) $$ language plv8; -WARNING: failed to find js function function "foo" does not exist +WARNING: failed to find js function function "foo()" does not exist ERROR: ReferenceError: foo is not defined DETAIL: undefined() LINE 1: plv8.elog(NOTICE, 'foo = ' + foo) \c diff -Nru plv8-1.4.8.ds/Makefile plv8-1.4.9.ds/Makefile --- plv8-1.4.8.ds/Makefile 2016-04-21 11:00:49.000000000 +0200 +++ plv8-1.4.9.ds/Makefile 2017-03-22 19:01:01.000000000 +0100 @@ -12,7 +12,7 @@ # 'make static' will download v8 and build, then statically link to it. # #-----------------------------------------------------------------------------# -PLV8_VERSION = 1.4.8 +PLV8_VERSION = 1.4.9 PG_CONFIG = pg_config PGXS := $(shell $(PG_CONFIG) --pgxs) diff -Nru plv8-1.4.8.ds/META.json plv8-1.4.9.ds/META.json --- plv8-1.4.8.ds/META.json 2016-04-21 11:00:49.000000000 +0200 +++ plv8-1.4.9.ds/META.json 2017-03-22 19:01:01.000000000 +0100 @@ -2,7 +2,7 @@ "name": "plv8", "abstract": "A procedural language in JavaScript powered by V8", "description": "plv8 is a trusted procedural language that is safe to use, fast to run and easy to develop.", - "version": "1.4.8", + "version": "1.4.9", "maintainer": [ "Jerry Sievert <c...@legitimatesounding.com>", "Hitoshi Harada <umi.tan...@gmail.com>" @@ -24,21 +24,21 @@ }, "provides": { "plv8": { - "file": "plv8--1.4.8.sql", + "file": "plv8--1.4.9.sql", "docfile": "doc/plv8.md", - "version": "1.4.8", + "version": "1.4.9", "abstract": "A procedural language in JavaScript" }, "plcoffee": { - "file": "plcoffee--1.4.8.sql", + "file": "plcoffee--1.4.9.sql", "docfile": "doc/plv8.md", - "version": "1.4.8", + "version": "1.4.9", "abstract": "A procedural language in CoffeeScript" }, "plls": { - "file": "plls--1.4.8.sql", + "file": "plls--1.4.9.sql", "docfile": "doc/plv8.md", - "version": "1.4.8", + "version": "1.4.9", "abstract": "A procedural language in LiveScript" } }, diff -Nru plv8-1.4.8.ds/plv8.cc plv8-1.4.9.ds/plv8.cc --- plv8-1.4.8.ds/plv8.cc 2016-04-21 10:59:10.000000000 +0200 +++ plv8-1.4.9.ds/plv8.cc 2017-03-22 19:01:01.000000000 +0100 @@ -191,7 +191,7 @@ _PG_init(void) { HASHCTL hash_ctl = { 0 }; - + hash_ctl.keysize = sizeof(Oid); hash_ctl.entrysize = sizeof(plv8_proc_cache); hash_ctl.hash = oid_hash; @@ -1263,6 +1263,18 @@ return ThrowException(Exception::Error(String::New(message))); } +static text * +charToText(char *string) +{ + int len = strlen(string); + text *result = (text *) palloc(len + 1 + VARHDRSZ); + + SET_VARSIZE(result, len + VARHDRSZ); + memcpy(VARDATA(result), string, len + 1); + + return result; +} + static Persistent<Context> GetGlobalContext() { @@ -1307,10 +1319,40 @@ Context::Scope context_scope(global_context); TryCatch try_catch; MemoryContext ctx = CurrentMemoryContext; + text *arg1, *arg2; + FunctionCallInfoData fake_fcinfo; + FmgrInfo flinfo; + + char proc[NAMEDATALEN + 32]; + strcpy(proc, plv8_start_proc); + strcat(proc, "()"); + char perm[16]; + strcpy(perm, "EXECUTE"); + arg1 = charToText(proc); + arg2 = charToText(perm); + + MemSet(&fake_fcinfo, 0, sizeof(fake_fcinfo)); + MemSet(&flinfo, 0, sizeof(flinfo)); + fake_fcinfo.flinfo = &flinfo; + flinfo.fn_oid = InvalidOid; + flinfo.fn_mcxt = CurrentMemoryContext; + fake_fcinfo.nargs = 2; + fake_fcinfo.arg[0] = CStringGetDatum(arg1); + fake_fcinfo.arg[1] = CStringGetDatum(arg2); PG_TRY(); { - func = find_js_function_by_name(plv8_start_proc); + Datum ret = has_function_privilege_name(&fake_fcinfo); + + if (ret == 0) { + elog(WARNING, "failed to find js function %s", plv8_start_proc); + } else { + if (DatumGetBool(ret)) { + func = find_js_function_by_name(plv8_start_proc); + } else { + elog(WARNING, "no permission to execute js function %s", plv8_start_proc); + } + } } PG_CATCH(); { unblock plv8/1:1.4.9.ds-1 Thanks, Christoph
signature.asc
Description: PGP signature