Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package plv8. The new version fixes a security problem.
diff -Nru plv8-1.4.8.ds/debian/changelog plv8-1.4.9.ds/debian/changelog
--- plv8-1.4.8.ds/debian/changelog 2017-01-14 21:15:06.000000000 +0100
+++ plv8-1.4.9.ds/debian/changelog 2017-03-22 19:01:08.000000000 +0100
@@ -1,3 +1,9 @@
+plv8 (1:1.4.9.ds-1) unstable; urgency=medium
+
+ * Security bugfix release: Check for permission to call functions.
+
+ -- Christoph Berg <m...@debian.org> Wed, 22 Mar 2017 19:01:08 +0100
+
plv8 (1:1.4.8.ds-3) unstable; urgency=medium
* Remove Evgeni from Uploaders. Thanks!
diff -Nru plv8-1.4.8.ds/expected/startup.out plv8-1.4.9.ds/expected/startup.out
--- plv8-1.4.8.ds/expected/startup.out 2013-06-20 16:49:58.000000000 +0200
+++ plv8-1.4.9.ds/expected/startup.out 2017-03-22 19:01:01.000000000 +0100
@@ -1,7 +1,7 @@
-- test startup failure
set plv8.start_proc = foo;
do $$ plv8.elog(NOTICE, 'foo = ' + foo) $$ language plv8;
-WARNING: failed to find js function function "foo" does not exist
+WARNING: failed to find js function function "foo()" does not exist
ERROR: ReferenceError: foo is not defined
DETAIL: undefined() LINE 1: plv8.elog(NOTICE, 'foo = ' + foo)
\c
diff -Nru plv8-1.4.8.ds/Makefile plv8-1.4.9.ds/Makefile
--- plv8-1.4.8.ds/Makefile 2016-04-21 11:00:49.000000000 +0200
+++ plv8-1.4.9.ds/Makefile 2017-03-22 19:01:01.000000000 +0100
@@ -12,7 +12,7 @@
# 'make static' will download v8 and build, then statically link to it.
#
#-----------------------------------------------------------------------------#
-PLV8_VERSION = 1.4.8
+PLV8_VERSION = 1.4.9
PG_CONFIG = pg_config
PGXS := $(shell $(PG_CONFIG) --pgxs)
diff -Nru plv8-1.4.8.ds/META.json plv8-1.4.9.ds/META.json
--- plv8-1.4.8.ds/META.json 2016-04-21 11:00:49.000000000 +0200
+++ plv8-1.4.9.ds/META.json 2017-03-22 19:01:01.000000000 +0100
@@ -2,7 +2,7 @@
"name": "plv8",
"abstract": "A procedural language in JavaScript powered by V8",
"description": "plv8 is a trusted procedural language that is safe to use,
fast to run and easy to develop.",
- "version": "1.4.8",
+ "version": "1.4.9",
"maintainer": [
"Jerry Sievert <c...@legitimatesounding.com>",
"Hitoshi Harada <umi.tan...@gmail.com>"
@@ -24,21 +24,21 @@
},
"provides": {
"plv8": {
- "file": "plv8--1.4.8.sql",
+ "file": "plv8--1.4.9.sql",
"docfile": "doc/plv8.md",
- "version": "1.4.8",
+ "version": "1.4.9",
"abstract": "A procedural language in JavaScript"
},
"plcoffee": {
- "file": "plcoffee--1.4.8.sql",
+ "file": "plcoffee--1.4.9.sql",
"docfile": "doc/plv8.md",
- "version": "1.4.8",
+ "version": "1.4.9",
"abstract": "A procedural language in CoffeeScript"
},
"plls": {
- "file": "plls--1.4.8.sql",
+ "file": "plls--1.4.9.sql",
"docfile": "doc/plv8.md",
- "version": "1.4.8",
+ "version": "1.4.9",
"abstract": "A procedural language in LiveScript"
}
},
diff -Nru plv8-1.4.8.ds/plv8.cc plv8-1.4.9.ds/plv8.cc
--- plv8-1.4.8.ds/plv8.cc 2016-04-21 10:59:10.000000000 +0200
+++ plv8-1.4.9.ds/plv8.cc 2017-03-22 19:01:01.000000000 +0100
@@ -191,7 +191,7 @@
_PG_init(void)
{
HASHCTL hash_ctl = { 0 };
-
+
hash_ctl.keysize = sizeof(Oid);
hash_ctl.entrysize = sizeof(plv8_proc_cache);
hash_ctl.hash = oid_hash;
@@ -1263,6 +1263,18 @@
return ThrowException(Exception::Error(String::New(message)));
}
+static text *
+charToText(char *string)
+{
+ int len = strlen(string);
+ text *result = (text *) palloc(len + 1 + VARHDRSZ);
+
+ SET_VARSIZE(result, len + VARHDRSZ);
+ memcpy(VARDATA(result), string, len + 1);
+
+ return result;
+}
+
static Persistent<Context>
GetGlobalContext()
{
@@ -1307,10 +1319,40 @@
Context::Scope context_scope(global_context);
TryCatch try_catch;
MemoryContext ctx = CurrentMemoryContext;
+ text *arg1, *arg2;
+ FunctionCallInfoData fake_fcinfo;
+ FmgrInfo flinfo;
+
+ char proc[NAMEDATALEN + 32];
+ strcpy(proc, plv8_start_proc);
+ strcat(proc, "()");
+ char perm[16];
+ strcpy(perm, "EXECUTE");
+ arg1 = charToText(proc);
+ arg2 = charToText(perm);
+
+ MemSet(&fake_fcinfo, 0, sizeof(fake_fcinfo));
+ MemSet(&flinfo, 0, sizeof(flinfo));
+ fake_fcinfo.flinfo = &flinfo;
+ flinfo.fn_oid = InvalidOid;
+ flinfo.fn_mcxt = CurrentMemoryContext;
+ fake_fcinfo.nargs = 2;
+ fake_fcinfo.arg[0] = CStringGetDatum(arg1);
+ fake_fcinfo.arg[1] = CStringGetDatum(arg2);
PG_TRY();
{
- func =
find_js_function_by_name(plv8_start_proc);
+ Datum ret =
has_function_privilege_name(&fake_fcinfo);
+
+ if (ret == 0) {
+ elog(WARNING, "failed to find js
function %s", plv8_start_proc);
+ } else {
+ if (DatumGetBool(ret)) {
+ func =
find_js_function_by_name(plv8_start_proc);
+ } else {
+ elog(WARNING, "no permission to
execute js function %s", plv8_start_proc);
+ }
+ }
}
PG_CATCH();
{
unblock plv8/1:1.4.9.ds-1
Thanks,
Christoph
signature.asc
Description: PGP signature
