Sir Mordred The Traitor <[EMAIL PROTECTED]> writes:
> There exists a buffer overflow in a SET TIME ZONE command, that
> allows an attacker to execute malicious code.
Here's a patch for the problem. I also fixed some other potential
buffer overruns nearby, and added a little paranoia to another routine
that uses a statically sized buffer.
Thanks for the report.
Cheers,
Neil
--
Neil Conway <[EMAIL PROTECTED]> || PGP Key ID: DB3C29FC
Index: src/backend/commands/variable.c
===================================================================
RCS file: /var/lib/cvs/pgsql-server/src/backend/commands/variable.c,v
retrieving revision 1.57
diff -c -r1.57 variable.c
*** src/backend/commands/variable.c 9 Dec 2001 04:37:50 -0000 1.57
--- src/backend/commands/variable.c 21 Aug 2002 16:07:54 -0000
***************
*** 274,299 ****
show_datestyle(void)
{
char buf[64];
- strcpy(buf, "DateStyle is ");
switch (DateStyle)
{
case USE_ISO_DATES:
! strcat(buf, "ISO");
break;
case USE_SQL_DATES:
! strcat(buf, "SQL");
break;
case USE_GERMAN_DATES:
! strcat(buf, "German");
break;
default:
! strcat(buf, "Postgres");
break;
! };
! strcat(buf, " with ");
! strcat(buf, ((EuroDates) ? "European" : "US (NonEuropean)"));
! strcat(buf, " conventions");
elog(NOTICE, buf, NULL);
--- 274,299 ----
show_datestyle(void)
{
char buf[64];
+ char *dstyle;
switch (DateStyle)
{
case USE_ISO_DATES:
! dstyle = "ISO";
break;
case USE_SQL_DATES:
! dstyle = "SQL";
break;
case USE_GERMAN_DATES:
! dstyle = "German";
break;
default:
! dstyle = "Postgres";
break;
! }
!
! snprintf(buf, sizeof(buf), "DateStyle is %s with %s conventions",
! dstyle, EuroDates ? "European" : "US (NonEuropean");
elog(NOTICE, buf, NULL);
***************
*** 442,456 ****
{
/* found something? then save it for later */
if ((defaultTZ = getenv("TZ")) != NULL)
! strcpy(TZvalue, defaultTZ);
/* found nothing so mark with an invalid pointer */
else
defaultTZ = (char *) -1;
}
! strcpy(tzbuf, "TZ=");
! strcat(tzbuf, tok);
if (putenv(tzbuf) != 0)
elog(ERROR, "Unable to set TZ environment variable to %s", tok);
--- 442,455 ----
{
/* found something? then save it for later */
if ((defaultTZ = getenv("TZ")) != NULL)
! strncpy(TZvalue, defaultTZ, sizeof(TZvalue));
/* found nothing so mark with an invalid pointer */
else
defaultTZ = (char *) -1;
}
! snprintf(tzbuf, sizeof(tzbuf), "TZ=%s", tok);
if (putenv(tzbuf) != 0)
elog(ERROR, "Unable to set TZ environment variable to %s", tok);
***************
*** 513,520 ****
/* time zone was set and original explicit time zone available? */
else if (defaultTZ != (char *) -1)
{
! strcpy(tzbuf, "TZ=");
! strcat(tzbuf, TZvalue);
if (putenv(tzbuf) != 0)
elog(ERROR, "Unable to set TZ environment variable to %s", TZvalue);
tzset();
--- 512,518 ----
/* time zone was set and original explicit time zone available? */
else if (defaultTZ != (char *) -1)
{
! snprintf(tzbuf, sizeof(tzbuf), "TZ=%s", TZvalue);
if (putenv(tzbuf) != 0)
elog(ERROR, "Unable to set TZ environment variable to %s", TZvalue);
tzset();
---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?
http://archives.postgresql.org
