Does the patch below look like the correct fix to CVE-2006-0553 if
running 8.1.1? I just scanned cvs log from the 8.1 branch, looking for
CVE-2006-0553 and picked out the diffs.
--
albert chin ([EMAIL PROTECTED])
-- snip snip
Index: src/backend/commands/variable.c
===================================================================
--- src/backend/commands/variable.c.orig 2005-11-22 12:23:08.000000000
-0600
+++ src/backend/commands/variable.c 2006-02-19 15:24:40.540106000 -0600
@@ -586,7 +586,9 @@
* by the numeric oid, followed by a comma, followed by the role name.
* This cannot be confused with a plain role name because of the NAMEDATALEN
* limit on names, so we can tell whether we're being passed an initial
- * role name or a saved/restored value.
+ * role name or a saved/restored value. (NOTE: we rely on guc.c to have
+ * properly truncated any incoming value, but not to truncate already-stored
+ * values. See GUC_IS_NAME processing.)
*/
extern char *session_authorization_string; /* in guc.c */
Index: src/include/utils/guc_tables.h
===================================================================
--- src/include/utils/guc_tables.h.orig 2005-07-14 00:13:44.000000000 -0500
+++ src/include/utils/guc_tables.h 2006-02-19 15:29:15.187973000 -0600
@@ -126,6 +126,7 @@
#define GUC_DISALLOW_IN_FILE 0x0040 /* can't set in postgresql.conf */
#define GUC_CUSTOM_PLACEHOLDER 0x0080 /* placeholder for custom variable */
#define GUC_SUPERUSER_ONLY 0x0100 /* show only to superusers */
+#define GUC_IS_NAME 0x0200 /* limit string to
NAMEDATALEN-1 */
/* bit values in status field */
#define GUC_HAVE_TENTATIVE 0x0001 /* tentative value is defined */
Index: src/backend/utils/misc/guc.c
===================================================================
--- src/backend/utils/misc/guc.c.orig 2005-11-22 12:23:24.000000000 -0600
+++ src/backend/utils/misc/guc.c 2006-02-19 15:30:21.625766000 -0600
@@ -48,6 +48,7 @@
#include "optimizer/prep.h"
#include "parser/parse_expr.h"
#include "parser/parse_relation.h"
+#include "parser/scansup.h"
#include "postmaster/autovacuum.h"
#include "postmaster/bgwriter.h"
#include "postmaster/syslogger.h"
@@ -1662,7 +1663,7 @@
{"client_encoding", PGC_USERSET, CLIENT_CONN_LOCALE,
gettext_noop("Sets the client's character set
encoding."),
NULL,
- GUC_REPORT
+ GUC_IS_NAME | GUC_REPORT
},
&client_encoding_string,
"SQL_ASCII", assign_client_encoding, NULL
@@ -1742,7 +1743,8 @@
{
{"default_tablespace", PGC_USERSET, CLIENT_CONN_STATEMENT,
gettext_noop("Sets the default tablespace to create
tables and indexes in."),
- gettext_noop("An empty string selects the database's
default tablespace.")
+ gettext_noop("An empty string selects the database's
default tablespace."),
+ GUC_IS_NAME
},
&default_tablespace,
"", assign_default_tablespace, NULL
@@ -1900,7 +1902,7 @@
{"server_encoding", PGC_INTERNAL, CLIENT_CONN_LOCALE,
gettext_noop("Sets the server (database) character set
encoding."),
NULL,
- GUC_REPORT | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
+ GUC_IS_NAME | GUC_REPORT | GUC_NOT_IN_SAMPLE |
GUC_DISALLOW_IN_FILE
},
&server_encoding_string,
"SQL_ASCII", NULL, NULL
@@ -1922,7 +1924,7 @@
{"role", PGC_USERSET, UNGROUPED,
gettext_noop("Sets the current role."),
NULL,
- GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE
| GUC_DISALLOW_IN_FILE
+ GUC_IS_NAME | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL |
GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
},
&role_string,
"none", assign_role, show_role
@@ -1933,7 +1935,7 @@
{"session_authorization", PGC_USERSET, UNGROUPED,
gettext_noop("Sets the session user name."),
NULL,
- GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL |
GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
+ GUC_IS_NAME | GUC_REPORT | GUC_NO_SHOW_ALL |
GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE
},
&session_authorization_string,
NULL, assign_session_authorization, show_session_authorization
@@ -3934,6 +3936,12 @@
newval = guc_strdup(elevel, value);
if (newval == NULL)
return false;
+ /*
+ * The only sort of "parsing" check we
need to do is
+ * apply truncation if GUC_IS_NAME.
+ */
+ if (conf->gen.flags & GUC_IS_NAME)
+ truncate_identifier(newval,
strlen(newval), true);
}
else if (conf->reset_val)
{
Index: src/backend/utils/mb/encnames.c
===================================================================
--- src/backend/utils/mb/encnames.c.orig 2005-10-14 21:49:33.000000000
-0500
+++ src/backend/utils/mb/encnames.c 2006-02-19 15:35:15.559558000 -0600
@@ -449,7 +449,7 @@
if (name == NULL || *name == '\0')
return NULL;
- if (strlen(name) > NAMEDATALEN)
+ if (strlen(name) >= NAMEDATALEN)
{
#ifdef FRONTEND
fprintf(stderr, "encoding name too long\n");
---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly
