-
Committer:
Bazaar Package Importer
-
Author(s):
Martin Pitt
-
Date:
2007-02-05 09:31:44 UTC
-
Revision ID:
james.westby@ubuntu.com-20070205093144-9a62np9hbd4h80ls
Tags: 8.1.4-0ubuntu1.2
* SECURITY UPDATE: Read out arbitrary memory locations from the server,
local DoS.
* Add debian/patches/00upstream-sql-fun-typecheck.patch:
- Repair insufficiently careful type checking for SQL-language functions.
Not only can one trivially crash the backend, but with appropriate
misuse of pass-by-reference datatypes it is possible to read out
arbitrary locations in the server process's memory, which could allow
retrieving database content the user should not be able to see.
- Discovered by Jeff Trout.
- Patch backported from 8.1.7 from CVS:
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/functions.c.diff?r1=1.98.2.2;r2=1.98.2.3
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/optimizer/util/clauses.c.diff?r1=1.201.2.1;r2=1.201.2.2
- CVE-2007-0555
* Add debian/patches/00upstream-table-plan-consistency.patch:
- Check that a table is still compatible with a previously made query
plan. Use of ALTER COLUMN TYPE creates a hazard for cached query plans:
they could contain vars that claim a column has a different type than it
now has. Not only can one trivially crash the backend, but with
appropriate misuse of pass-by-reference datatypes it is possible to read
out arbitrary locations in the server process's memory, which could allow
retrieving database content the user should not be able to see.
- Discovered by Jeff Trout.
- Patch backported from 8.1.7 from CVS:
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/commands/tablecmds.c.diff?r1=1.174.2.3;r2=1.174.2.4
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/execQual.c.diff?r1=1.183.2.4;r2=1.183.2.5
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/execScan.c.diff?r1=1.37.2.1;r2=1.37.2.2
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/execUtils.c.diff?r1=1.126.2.3;r2=1.126.2.4
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeAgg.c.diff?r1=1.135.2.1;r2=1.135.2.2
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeGroup.c.diff?r1=1.62;r2=1.62.2.1
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeHashjoin.c.diff?r1=1.75.2.3;r2=1.75.2.4
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeMergejoin.c.diff?r1=1.75.2.2;r2=1.75.2.3
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeNestloop.c.diff?r1=1.39.2.1;r2=1.39.2.2
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeResult.c.diff?r1=1.32.2.1;r2=1.32.2.2
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeSubplan.c.diff?r1=1.70.2.1;r2=1.70.2.2
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/include/executor/executor.h.diff?r1=1.120.2.2;r2=1.120.2.3
- CVE-2007-0556
* Add debian/patches/00upstream-max-utf8-wchar-len.patch:
- Update various string functions to support the maximum UTF-8 sequence
length for 4-byte character set to prevent buffer overflows.
- Patch backported from 8.1.7 from CVS:
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/utils/mb/wchar.c.diff?r1=1.47.2.4;r2=1.47.2.5