Re: [SECURITY] DoS attack on backend possible (was: Re:

Well, if it's a buffer overrun, there is certainly potential for risks
well beyond that of simply crashing the "be".  It's certainly possible
that a simple bug in one cgi script or web site could allow someone to
execute code on the database host because of this bug.  Assuming they
are running the "be" as "postgres" or some other seemingly harmless
user, it's still possible that complete destruction of any and all
databases which are hosted and accessible by this user can be utterly
destroyed or miscellaneously corrupted.

Buffer over runs should be treated with the up most urgency and
respect.  IMO, any known buffer overrun is worthy of an emergency fix
and corresponding advisory.

Greg Copeland


On Sun, 2002-08-11 at 12:09, Tom Lane wrote:
> Justin Clift <justin@postgresql.org> writes:
> > Am I understanding this right:
> >  - A PostgreSQL 7.2.1 server can be crashed if it gets passed certain
> > date values which would be accepted by standard "front end" parsing?
>
> AFAIK it's a buffer overrun issue, so anything that looks like a
> reasonable date would *not* cause the problem.
>
>             regards, tom lane
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/users-lounge/docs/faq.html