diff options
| -rw-r--r-- | doc/src/sgml/release-8.3.sgml | 13 | ||||
| -rw-r--r-- | doc/src/sgml/release-8.4.sgml | 13 | ||||
| -rw-r--r-- | doc/src/sgml/release-9.0.sgml | 13 | ||||
| -rw-r--r-- | doc/src/sgml/release-9.1.sgml | 13 | ||||
| -rw-r--r-- | doc/src/sgml/release-9.2.sgml | 13 | ||||
| -rw-r--r-- | src/backend/utils/adt/enum.c | 5 |
6 files changed, 70 insertions, 0 deletions
diff --git a/doc/src/sgml/release-8.3.sgml b/doc/src/sgml/release-8.3.sgml index 7d9764c9874..43db2ad35ad 100644 --- a/doc/src/sgml/release-8.3.sgml +++ b/doc/src/sgml/release-8.3.sgml @@ -42,6 +42,19 @@ <listitem> <para> + Prevent execution of <function>enum_recv</> from SQL (Tom Lane) + </para> + + <para> + The function was misdeclared, allowing a simple SQL command to crash the + server. In principle an attacker might be able to use it to examine the + contents of server memory. Our thanks to Sumit Soni (via Secunia SVCRP) + for reporting this issue. (CVE-2013-0255) + </para> + </listitem> + + <listitem> + <para> Fix SQL grammar to allow subscripting or field selection from a sub-SELECT result (Tom Lane) </para> diff --git a/doc/src/sgml/release-8.4.sgml b/doc/src/sgml/release-8.4.sgml index 1d601f1c07e..03f31e63a84 100644 --- a/doc/src/sgml/release-8.4.sgml +++ b/doc/src/sgml/release-8.4.sgml @@ -36,6 +36,19 @@ <listitem> <para> + Prevent execution of <function>enum_recv</> from SQL (Tom Lane) + </para> + + <para> + The function was misdeclared, allowing a simple SQL command to crash the + server. In principle an attacker might be able to use it to examine the + contents of server memory. Our thanks to Sumit Soni (via Secunia SVCRP) + for reporting this issue. (CVE-2013-0255) + </para> + </listitem> + + <listitem> + <para> Update minimum recovery point when truncating a relation file (Heikki Linnakangas) </para> diff --git a/doc/src/sgml/release-9.0.sgml b/doc/src/sgml/release-9.0.sgml index fc0af4edbc3..f3340abc7e6 100644 --- a/doc/src/sgml/release-9.0.sgml +++ b/doc/src/sgml/release-9.0.sgml @@ -36,6 +36,19 @@ <listitem> <para> + Prevent execution of <function>enum_recv</> from SQL (Tom Lane) + </para> + + <para> + The function was misdeclared, allowing a simple SQL command to crash the + server. In principle an attacker might be able to use it to examine the + contents of server memory. Our thanks to Sumit Soni (via Secunia SVCRP) + for reporting this issue. (CVE-2013-0255) + </para> + </listitem> + + <listitem> + <para> Fix multiple problems in detection of when a consistent database state has been reached during WAL replay (Fujii Masao, Heikki Linnakangas, Simon Riggs, Andres Freund) diff --git a/doc/src/sgml/release-9.1.sgml b/doc/src/sgml/release-9.1.sgml index 897b584247a..172b125e222 100644 --- a/doc/src/sgml/release-9.1.sgml +++ b/doc/src/sgml/release-9.1.sgml @@ -36,6 +36,19 @@ <listitem> <para> + Prevent execution of <function>enum_recv</> from SQL (Tom Lane) + </para> + + <para> + The function was misdeclared, allowing a simple SQL command to crash the + server. In principle an attacker might be able to use it to examine the + contents of server memory. Our thanks to Sumit Soni (via Secunia SVCRP) + for reporting this issue. (CVE-2013-0255) + </para> + </listitem> + + <listitem> + <para> Fix multiple problems in detection of when a consistent database state has been reached during WAL replay (Fujii Masao, Heikki Linnakangas, Simon Riggs, Andres Freund) diff --git a/doc/src/sgml/release-9.2.sgml b/doc/src/sgml/release-9.2.sgml index d70ddd66e4a..61bb925dca4 100644 --- a/doc/src/sgml/release-9.2.sgml +++ b/doc/src/sgml/release-9.2.sgml @@ -36,6 +36,19 @@ <listitem> <para> + Prevent execution of <function>enum_recv</> from SQL (Tom Lane) + </para> + + <para> + The function was misdeclared, allowing a simple SQL command to crash the + server. In principle an attacker might be able to use it to examine the + contents of server memory. Our thanks to Sumit Soni (via Secunia SVCRP) + for reporting this issue. (CVE-2013-0255) + </para> + </listitem> + + <listitem> + <para> Fix multiple problems in detection of when a consistent database state has been reached during WAL replay (Fujii Masao, Heikki Linnakangas, Simon Riggs, Andres Freund) diff --git a/src/backend/utils/adt/enum.c b/src/backend/utils/adt/enum.c index 01a726be447..1eb8ccfaee5 100644 --- a/src/backend/utils/adt/enum.c +++ b/src/backend/utils/adt/enum.c @@ -18,6 +18,7 @@ #include "access/htup_details.h" #include "catalog/indexing.h" #include "catalog/pg_enum.h" +#include "catalog/pg_type.h" #include "libpq/pqformat.h" #include "utils/array.h" #include "utils/builtins.h" @@ -104,6 +105,10 @@ enum_recv(PG_FUNCTION_ARGS) char *name; int nbytes; + /* guard against pre-9.3 misdeclaration of enum_recv */ + if (get_fn_expr_argtype(fcinfo->flinfo, 0) == CSTRINGOID) + elog(ERROR, "invalid argument for enum_recv"); + name = pq_getmsgtext(buf, buf->len - buf->cursor, &nbytes); /* must check length to prevent Assert failure within SearchSysCache */ |