Re: [HACKERS] @(#)Mordred Labs advisory 0x0003: Buffer overflow in

Tue, 20 Aug 2002 22:47:24 -0700 

On Tue, 20 Aug 2002, Thomas Lockhart wrote:

> ...
> > So I think that fixing the opaque problems in 7.2.x is simply
> > impossible. Given that, the question is whether we should make a 7.2.2
> > release with fixes for the other security holes (lpad(), rpad(),
> > reverse(), and the datetime overruns). IMHO, we should.
> 
> Just a minor point: can someone actually show a symptom with date/time
> problems in 7.2.x?

template1=# select version();
                           version
-------------------------------------------------------------
 PostgreSQL 7.2.1 on i686-pc-linux-gnu, compiled by GCC 2.96
(1 row)

template1=# select
'1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111'::date
server closed the connection unexpectedly
        This probably means the server terminated abnormally
        before or while processing the request.
The connection to the server was lost. Attempting reset: Failed.
!#

ParseDateTime() isn't checking that str < MAXDATELEN -- which is the
problem you solved in the datetime.c fixes.

Gavin


---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly

Reply via email to