On Sat, 4 May 2002, Tom Lane wrote:
> Stephen Amadei <[EMAIL PROTECTED]> writes:
> > However, if someone was to know that Postgres needs a /bin/rm, an exploit
> > could be created that runs /bin/rm instead of /bin/sh and trashes the
> > databases postgres owns. Of course, this is a big IF. ;-)
On Sat, 4 May 2002, Tom Lane wrote:
> Hmm. It looks like GetRawDatabaseInfo is reading a zero for the VARSIZE
> of datpath, and then computing -4 (which strncpy will take as a huge
> unsigned value) as the string length to copy. You could try applying
> a patch like this, in src/backend/utils/m
Stephen Amadei <[EMAIL PROTECTED]> writes:
> However, if someone was to know that Postgres needs a /bin/rm, an exploit
> could be created that runs /bin/rm instead of /bin/sh and trashes the
> databases postgres owns. Of course, this is a big IF. ;-)
The attacker won't be able to do any of this
Stephen Amadei <[EMAIL PROTECTED]> writes:
> #0 0x255843 in strncpy (s1=0xbfffead0 "n\013", s2=0x8213414 "n\013",
>n=4294967292) at ../sysdeps/generic/strncpy.c:82
> #1 0x81516ab in GetRawDatabaseInfo ()
> #2 0x81511fb in InitPostgres ()
Hmm. It looks like GetRawDatabaseInfo is reading a zer
