URL: https://linuxfr.org/users/arthurr/journaux/faille-postgresql Title: Faille PostgreSQL Authors: arthurr Date: 2013年04月05日T08:44:24+02:00 License: CC By-SA Tags: postgresql Score: 35 Bon journal ! Pour les DBA PostgreSQL (et les autres gens) qui hibernent depuis une semaine : Il faut mettre à jour vos moteurs de bases !!! Les mises à jours sont disponibles depuis hier après midi pour 9.2.x, 9.1.x et 9.0.x Et ce n'est pas un poisson d'Avril ... commit 17fe2793ea7fe269ed616cb305150b6cf38dbaa8 Author: Tom Lane Date: Mon Apr 1 14:00:51 2013 -0400 Fix insecure parsing of server command-line switches. An oversight in commit e710b65c1c56ca7b91f662c63d37ff2e72862a94 allowed database names beginning with "-" to be treated as though they were secure command-line switches; and this switch processing occurs before client authentication, so that even an unprivileged remote attacker could exploit the bug, needing only connectivity to the postmaster's port. Assorted exploits for this are possible, some requiring a valid database login, some not. The worst known problem is that the "-r" switch can be invoked to redirect the process's stderr output, so that subsequent error messages will be appended to any file the server can write. This can for example be used to corrupt the server's configuration files, so that it will fail when next restarted. Complete destruction of database tables is also possible. Fix by keeping the database name extracted from a startup packet fully separate from command-line switches, as had already been done with the user name field. The Postgres project thanks Mitsumasa Kondo for discovering this bug, Kyotaro Horiguchi for drafting the fix, and Noah Misch for recognizing the full extent of the danger. Security: CVE-2013-1899 et des liens : http://blog.postgresql.fr/index.php?post/2013/04/04/Mises-%C3%A0-jour-mineures-de-PostgreSQL-%3A-9.2.4%2C-9.1.9%2C-9.0.13%2C-8.4.17 http://www.postgresql.fr/faq_correctif_20130404

AltStyle によって変換されたページ (->オリジナル) /