Your message dated Sat, 06 May 2017 14:44:18 +0100
with message-id <1494078258.26551.13.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 8.8
has caused the Debian Bug report #858547,
regarding jessie-pu: package plv8/1.4.2.ds-2+deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
858547: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858547
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
I would like to upload plv8 to jessie. Is that acceptable?
As per [1], a security upload is not applicable.
[1]
https://www.debian.org/releases/jessie/amd64/release-notes/ch-information.en.html#libv8
diff -Nru plv8-1.4.2.ds/debian/changelog plv8-1.4.2.ds/debian/changelog
--- plv8-1.4.2.ds/debian/changelog 2014-07-28 12:58:12.000000000 +0200
+++ plv8-1.4.2.ds/debian/changelog 2017-03-23 10:59:59.000000000 +0100
@@ -1,3 +1,9 @@
+plv8 (1.4.2.ds-2+deb8u1) jessie; urgency=high
+
+ * Security bugfix picked from 1.4.9: Check for permission to call functions.
+
+ -- Christoph Berg <christoph.b...@credativ.de> Thu, 23 Mar 2017 10:59:59
+0100
+
plv8 (1.4.2.ds-2) unstable; urgency=medium
* Pull patches from upstream to support PostgreSQL 9.4.
diff -Nru plv8-1.4.2.ds/debian/patches/90a57729abb488bf830c2f9783353dfe353ca4f0
plv8-1.4.2.ds/debian/patches/90a57729abb488bf830c2f9783353dfe353ca4f0
--- plv8-1.4.2.ds/debian/patches/90a57729abb488bf830c2f9783353dfe353ca4f0
1970-01-01 01:00:00.000000000 +0100
+++ plv8-1.4.2.ds/debian/patches/90a57729abb488bf830c2f9783353dfe353ca4f0
2017-03-23 10:58:46.000000000 +0100
@@ -0,0 +1,78 @@
+diff --git a/expected/startup.out b/expected/startup.out
+index 0cd9941..0bc62d1 100644
+--- a/expected/startup.out
++++ b/expected/startup.out
+@@ -1,7 +1,7 @@
+ -- test startup failure
+ set plv8.start_proc = foo;
+ do $$ plv8.elog(NOTICE, 'foo = ' + foo) $$ language plv8;
+-WARNING: failed to find js function function "foo" does not exist
++WARNING: failed to find js function function "foo()" does not exist
+ ERROR: ReferenceError: foo is not defined
+ DETAIL: undefined() LINE 1: plv8.elog(NOTICE, 'foo = ' + foo)
+ \c
+diff --git a/plv8.cc b/plv8.cc
+index 54d4f3a..d0a81e3 100644
+--- a/plv8.cc
++++ b/plv8.cc
+@@ -1263,6 +1263,18 @@ ThrowError(const char *message) throw()
+ return ThrowException(Exception::Error(String::New(message)));
+ }
+
++static text *
++charToText(char *string)
++{
++ int len = strlen(string);
++ text *result = (text *) palloc(len + 1 + VARHDRSZ);
++
++ SET_VARSIZE(result, len + VARHDRSZ);
++ memcpy(VARDATA(result), string, len + 1);
++
++ return result;
++}
++
+ static Persistent<Context>
+ GetGlobalContext()
+ {
+@@ -1307,10 +1319,40 @@ GetGlobalContext()
+ Context::Scope context_scope(global_context);
+ TryCatch try_catch;
+ MemoryContext ctx = CurrentMemoryContext;
++ text *arg1, *arg2;
++ FunctionCallInfoData fake_fcinfo;
++ FmgrInfo flinfo;
++
++ char proc[NAMEDATALEN + 32];
++ strcpy(proc, plv8_start_proc);
++ strcat(proc, "()");
++ char perm[16];
++ strcpy(perm, "EXECUTE");
++ arg1 = charToText(proc);
++ arg2 = charToText(perm);
++
++ MemSet(&fake_fcinfo, 0, sizeof(fake_fcinfo));
++ MemSet(&flinfo, 0, sizeof(flinfo));
++ fake_fcinfo.flinfo = &flinfo;
++ flinfo.fn_oid = InvalidOid;
++ flinfo.fn_mcxt = CurrentMemoryContext;
++ fake_fcinfo.nargs = 2;
++ fake_fcinfo.arg[0] = CStringGetDatum(arg1);
++ fake_fcinfo.arg[1] = CStringGetDatum(arg2);
+
+ PG_TRY();
+ {
+- func =
find_js_function_by_name(plv8_start_proc);
++ Datum ret =
has_function_privilege_name(&fake_fcinfo);
++
++ if (ret == 0) {
++ elog(WARNING, "failed to find js
function %s", plv8_start_proc);
++ } else {
++ if (DatumGetBool(ret)) {
++ func =
find_js_function_by_name(plv8_start_proc);
++ } else {
++ elog(WARNING, "no permission to
execute js function %s", plv8_start_proc);
++ }
++ }
+ }
+ PG_CATCH();
+ {
diff -Nru plv8-1.4.2.ds/debian/patches/series
plv8-1.4.2.ds/debian/patches/series
--- plv8-1.4.2.ds/debian/patches/series 2014-07-28 12:55:57.000000000 +0200
+++ plv8-1.4.2.ds/debian/patches/series 2017-03-23 10:58:55.000000000 +0100
@@ -5,3 +5,4 @@
094df45dce2a879d1814b792aeb46b38f0f0ef87
0163635ecab45ec53419b9a3ea4ea890495ce3cc
aedc9e64ba18d591f0a4afadecc936d778282bde
+90a57729abb488bf830c2f9783353dfe353ca4f0
Christoph
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 8.8
Hi,
Each of these bugs refers to an update that was included in today's
jessie point release. Thanks!
Regards,
Adam
--- End Message ---
