Re: Probably security hole in postgresql-7.4.1

Shachar Shemesh <psql@shemesh.biz> writes:
> Ok. How about an official patch against 7.4.2 that fixes it, so that 
> packagers can make their own informed decision.

The "official patch" is available to anyone who wants it from our CVS
server.
http://developer.postgresql.org/cvsweb.cgi/pgsql-server/src/backend/lib/stringinfo.c.diff?r1=1.36&r2=1.36.4.1

BTW, all the principal packagers read this list and have doubtless made
their informed decisions already ...

> Also, has anybody checked what other versions are affected?

Nothing before 7.4, at least by the known implications of this issue.
Again, if we wait a while and let Ken keep running his analysis tool,
he might turn up other stuff we need to fix.  Maybe even stuff that
needs a fix much worse than this does.

>>>Industry practices dictate that we do issue SOMETHING now. The bug is 
>>>now public, and can be exploited.

I frankly think that this discussion is emblematic of all the worst
tendencies of the security community.  Have you forgotten the fable
about the boy who cried "wolf"?  If you demand a Chinese fire drill
for every issue that could conceivably be exploited, you'll soon find
yourself unable to get peoples' attention for problems that are really
serious.

I repeat: in my estimation this is not a bug that needs a fix yesterday.
AFAICS it would be very difficult to cause more than a nuisance DOS with
it, and there are plenty of other ways for authenticated database users
to cause those.
        regards, tom lane