Sir Mordred The Traitor <[EMAIL PROTECTED]> writes: > There exists a buffer overflow in a SET TIME ZONE command, that > allows an attacker to execute malicious code.
Here's a patch for the problem. I also fixed some other potential buffer overruns nearby, and added a little paranoia to another routine that uses a statically sized buffer. Thanks for the report. Cheers, Neil -- Neil Conway <[EMAIL PROTECTED]> || PGP Key ID: DB3C29FC
Index: src/backend/commands/variable.c =================================================================== RCS file: /var/lib/cvs/pgsql-server/src/backend/commands/variable.c,v retrieving revision 1.57 diff -c -r1.57 variable.c *** src/backend/commands/variable.c 9 Dec 2001 04:37:50 -0000 1.57 --- src/backend/commands/variable.c 21 Aug 2002 16:07:54 -0000 *************** *** 274,299 **** show_datestyle(void) { char buf[64]; - strcpy(buf, "DateStyle is "); switch (DateStyle) { case USE_ISO_DATES: ! strcat(buf, "ISO"); break; case USE_SQL_DATES: ! strcat(buf, "SQL"); break; case USE_GERMAN_DATES: ! strcat(buf, "German"); break; default: ! strcat(buf, "Postgres"); break; ! }; ! strcat(buf, " with "); ! strcat(buf, ((EuroDates) ? "European" : "US (NonEuropean)")); ! strcat(buf, " conventions"); elog(NOTICE, buf, NULL); --- 274,299 ---- show_datestyle(void) { char buf[64]; + char *dstyle; switch (DateStyle) { case USE_ISO_DATES: ! dstyle = "ISO"; break; case USE_SQL_DATES: ! dstyle = "SQL"; break; case USE_GERMAN_DATES: ! dstyle = "German"; break; default: ! dstyle = "Postgres"; break; ! } ! ! snprintf(buf, sizeof(buf), "DateStyle is %s with %s conventions", ! dstyle, EuroDates ? "European" : "US (NonEuropean"); elog(NOTICE, buf, NULL); *************** *** 442,456 **** { /* found something? then save it for later */ if ((defaultTZ = getenv("TZ")) != NULL) ! strcpy(TZvalue, defaultTZ); /* found nothing so mark with an invalid pointer */ else defaultTZ = (char *) -1; } ! strcpy(tzbuf, "TZ="); ! strcat(tzbuf, tok); if (putenv(tzbuf) != 0) elog(ERROR, "Unable to set TZ environment variable to %s", tok); --- 442,455 ---- { /* found something? then save it for later */ if ((defaultTZ = getenv("TZ")) != NULL) ! strncpy(TZvalue, defaultTZ, sizeof(TZvalue)); /* found nothing so mark with an invalid pointer */ else defaultTZ = (char *) -1; } ! snprintf(tzbuf, sizeof(tzbuf), "TZ=%s", tok); if (putenv(tzbuf) != 0) elog(ERROR, "Unable to set TZ environment variable to %s", tok); *************** *** 513,520 **** /* time zone was set and original explicit time zone available? */ else if (defaultTZ != (char *) -1) { ! strcpy(tzbuf, "TZ="); ! strcat(tzbuf, TZvalue); if (putenv(tzbuf) != 0) elog(ERROR, "Unable to set TZ environment variable to %s", TZvalue); tzset(); --- 512,518 ---- /* time zone was set and original explicit time zone available? */ else if (defaultTZ != (char *) -1) { ! snprintf(tzbuf, sizeof(tzbuf), "TZ=%s", TZvalue); if (putenv(tzbuf) != 0) elog(ERROR, "Unable to set TZ environment variable to %s", TZvalue); tzset();
---------------------------(end of broadcast)--------------------------- TIP 6: Have you searched our list archives? http://archives.postgresql.org