Hi Florian, Very hard call.
If this was even a "fringe case" whereby even only a few places that are doing "the right thing" would be compromisable, then we should probably go for a 7.2.2. Even if it's only 7.2.1 with this one bug fix. However, it sounds like this bug is really only going to affect those places which aren't correctly implementing *proper*, *decent* input validation, and are then passing this not-properly-checked value straight into a SQL string for execution by the server. Doing that (not input checking properly) is a brain damaged concept all by itself. :( Is this scenario of not properly checking the input the only way PostgreSQL could be crashed by this bug In Real Life? Having said this, is this what 7.2.2 here would require doing: - Create an archive of 7.2.1+bugfix, and call it 7.2.2, gzip, md5, etc, as appropriate, put on site - Update CVS appropriately - Create a new press release for 7.2.2, spread that appropriately too - Add an entry to the main website I reckon the only reason for making a 7.2.2 for this would be to help ensure newbie (or very tired) coders don't get their servers taken out by clueful malicious types. Regards and best wishes, Justin Clift Florian Weimer wrote: > > Justin Clift <[EMAIL PROTECTED]> writes: > > > - A PostgreSQL 7.2.1 server can be crashed if it gets passed certain > > date values which would be accepted by standard "front end" parsing? > > So, a web application layer can request a date from a user, do standard > > integrity checks (like looking for weird characters and formatting > > hacks) on the date given, then use the date as part of a SQL query, and > > PostgreSQL will die? > > It depends on the checking. If you just check that the date consists > of digits (and a few additional characters), it's possible to crash > the server. > > -- > Florian Weimer [EMAIL PROTECTED] > University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ > RUS-CERT fax +49-711-685-5898 -- "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi ---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
