file in tmp hole in make_oidjoins_check
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
postgresql (Debian) |
Fix Released
|
Unknown
|
|||
postgresql (Ubuntu) |
Fix Released
|
Medium
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #278262 http://
CVE References
In Debian Bug tracker #278262, Oliver Elphick (olly-lfix) wrote : Re: Bug#278262: file in tmp hole in make_oidjoins_check | #1 |
In Debian Bug tracker #278262, Oliver Elphick (olly-lfix) wrote : | #2 |
On Tue, 2004-10-26 at 11:40 +0100, Oliver Elphick wrote:
> On Mon, 2004-10-25 at 16:03 -0400, Joey Hess wrote:
> > Package: postgresql
> > Version: 7.3.4-9
> > Severity: normal
> > Tags: security
> >
> > The make_oidjoins_check script, which is only shipped in the source
> > package, creates /tmp files insecurely according to CAN-2004-0977 (and
> > I've verified this).
> >
> > It should be fixed, just in case someone happens to find it in the
> > source package.
>
> Joey, I think you have rather lost your sense of proportion here.
>
> We should next remove the upstream source, in case someone finds it
> there...
But in fact it actually _is_ shipped in postgresql-contrib, not just the
source, so a fix is needed.
--
Oliver Elphick <email address hidden>
Isle of Wight http://
GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA
"Whosoever therefore shall be ashamed of me and of my
words in this adulterous and sinful generation; of him
also shall the Son of man be ashamed, when he cometh
in the glory of his Father with the holy angels."
In Debian Bug tracker #278262, Martin Pitt (pitti) wrote : severity of 278262 is critical, merging 278262 278336 | #3 |
# Automatically generated email from bts, devscripts version 2.7.95.1
severity 278262 critical
merge 278262 278336
In Debian Bug tracker #278262, Martin Pitt (pitti) wrote : Re: Bug#278262: file in tmp hole in make_oidjoins_check | #4 |
Hi!
Joey Hess [2004-10-25 16:03 -0400]:
> Package: postgresql
> Version: 7.3.4-9
> Severity: normal
> Tags: security
>
> The make_oidjoins_check script, which is only shipped in the source
> package, creates /tmp files insecurely according to CAN-2004-0977 (and
> I've verified this).
>
> It should be fixed, just in case someone happens to find it in the
> source package.
It's shipped in -contrib, I merged this bug with #278336.
For the records, a stable update is ready and to be approved by the
security team; I will do an unstable upload soon.
Thanks and have a nice day!
Martin
--
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
In Debian Bug tracker #278262, Oliver Elphick (olly-lfix) wrote : | #5 |
On Tue, 2004-10-26 at 16:41 +0200, Martin Pitt wrote:
> > The make_oidjoins_check script, which is only shipped in the source
> > package, creates /tmp files insecurely according to CAN-2004-0977 (and
> > I've verified this).
> It's shipped in -contrib, I merged this bug with #278336.
In 7.4.6, we should drop this script from postgresql-contrib, since it
is of no use to normal users.
--
Oliver Elphick <email address hidden>
Isle of Wight http://
GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA
"Whosoever therefore shall be ashamed of me and of my
words in this adulterous and sinful generation; of him
also shall the Son of man be ashamed, when he cometh
in the glory of his Father with the holy angels."
Debian Bug Importer (debzilla) wrote : | #6 |
Automatically imported from Debian bug report #278262 http://
Debian Bug Importer (debzilla) wrote : | #7 |
Message-ID: <email address hidden>
Date: Mon, 25 Oct 2004 16:03:13 -0400
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: file in tmp hole in make_oidjoins_check
--45Z9DzgjV8m4Oswq
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Package: postgresql
Version: 7.3.4-9
Severity: normal
Tags: security
The make_oidjoins_check script, which is only shipped in the source
package, creates /tmp files insecurely according to CAN-2004-0977 (and
I've verified this).
It should be fixed, just in case someone happens to find it in the
source package.
--=20
see shy jo
--45Z9DzgjV8m4Oswq
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBfVwBd8H
MLytT7wRE2K1gp1
=dDTM
-----END PGP SIGNATURE-----
--45Z9DzgjV8m4O
Debian Bug Importer (debzilla) wrote : | #8 |
Message-Id: <1098787254.
Date: Tue, 26 Oct 2004 11:40:54 +0100
From: Oliver Elphick <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
Subject: Re: Bug#278262: file in tmp hole in make_oidjoins_check
On Mon, 2004-10-25 at 16:03 -0400, Joey Hess wrote:
> Package: postgresql
> Version: 7.3.4-9
> Severity: normal
> Tags: security
>
> The make_oidjoins_check script, which is only shipped in the source
> package, creates /tmp files insecurely according to CAN-2004-0977 (and
> I've verified this).
>
> It should be fixed, just in case someone happens to find it in the
> source package.
Joey, I think you have rather lost your sense of proportion here.
We should next remove the upstream source, in case someone finds it
there...
--
Oliver Elphick <email address hidden>
Isle of Wight http://
GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA
"Whosoever therefore shall be ashamed of me and of my
words in this adulterous and sinful generation; of him
also shall the Son of man be ashamed, when he cometh
in the glory of his Father with the holy angels."
Debian Bug Importer (debzilla) wrote : | #9 |
Message-Id: <1098800599.
Date: Tue, 26 Oct 2004 15:23:19 +0100
From: Oliver Elphick <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: Bug#278262: file in tmp hole in make_oidjoins_check
On Tue, 2004-10-26 at 11:40 +0100, Oliver Elphick wrote:
> On Mon, 2004-10-25 at 16:03 -0400, Joey Hess wrote:
> > Package: postgresql
> > Version: 7.3.4-9
> > Severity: normal
> > Tags: security
> >
> > The make_oidjoins_check script, which is only shipped in the source
> > package, creates /tmp files insecurely according to CAN-2004-0977 (and
> > I've verified this).
> >
> > It should be fixed, just in case someone happens to find it in the
> > source package.
>
> Joey, I think you have rather lost your sense of proportion here.
>
> We should next remove the upstream source, in case someone finds it
> there...
But in fact it actually _is_ shipped in postgresql-contrib, not just the
source, so a fix is needed.
--
Oliver Elphick <email address hidden>
Isle of Wight http://
GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA
"Whosoever therefore shall be ashamed of me and of my
words in this adulterous and sinful generation; of him
also shall the Son of man be ashamed, when he cometh
in the glory of his Father with the holy angels."
Debian Bug Importer (debzilla) wrote : | #10 |
Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 16:41:09 +0200
From: Martin Pitt <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
Subject: Re: Bug#278262: file in tmp hole in make_oidjoins_check
--AhhlLboLdkugWU4S
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Hi!
Joey Hess [2004-10-25 16:03 -0400]:
> Package: postgresql
> Version: 7.3.4-9
> Severity: normal
> Tags: security
>=20
> The make_oidjoins_check script, which is only shipped in the source
> package, creates /tmp files insecurely according to CAN-2004-0977 (and
> I've verified this).
>=20
> It should be fixed, just in case someone happens to find it in the
> source package.
It's shipped in -contrib, I merged this bug with #278336.
For the records, a stable update is ready and to be approved by the
security team; I will do an unstable upload soon.
Thanks and have a nice day!
Martin
--=20
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
--AhhlLboLdkugWU4S
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBfmIFDec
Wh2ijFcRd2xdiEm
=HhXm
-----END PGP SIGNATURE-----
--AhhlLboLdkugW
Debian Bug Importer (debzilla) wrote : | #11 |
Message-Id: <email address hidden>
Date: Tue, 26 Oct 2004 16:31:45 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: severity of 278262 is critical, merging 278262 278336
# Automatically generated email from bts, devscripts version 2.7.95.1
severity 278262 critical
merge 278262 278336
Debian Bug Importer (debzilla) wrote : | #12 |
*** Bug 9455 has been marked as a duplicate of this bug. ***
In Debian Bug tracker #278262, Joey Hess (joeyh) wrote : | #13 |
Oliver Elphick wrote:
> On Mon, 2004-10-25 at 16:03 -0400, Joey Hess wrote:
> > Package: postgresql
> > Version: 7.3.4-9
> > Severity: normal
> > Tags: security
> >
> > The make_oidjoins_check script, which is only shipped in the source
> > package, creates /tmp files insecurely according to CAN-2004-0977 (and
> > I've verified this).
> >
> > It should be fixed, just in case someone happens to find it in the
> > source package.
>
> Joey, I think you have rather lost your sense of proportion here.
Not really; other linux dsitributions have shipped this script in binary
packages, it's obviously not too unlikely that someone would find it and
use it.
--
see shy jo
Debian Bug Importer (debzilla) wrote : | #14 |
Message-Id: <1098802716.
Date: Tue, 26 Oct 2004 15:58:36 +0100
From: Oliver Elphick <email address hidden>
To: Martin Pitt <email address hidden>, <email address hidden>
Subject: Re: Bug#278262: file in tmp hole in make_oidjoins_check
On Tue, 2004-10-26 at 16:41 +0200, Martin Pitt wrote:
> > The make_oidjoins_check script, which is only shipped in the source
> > package, creates /tmp files insecurely according to CAN-2004-0977 (and
> > I've verified this).
> It's shipped in -contrib, I merged this bug with #278336.
In 7.4.6, we should drop this script from postgresql-contrib, since it
is of no use to normal users.
--
Oliver Elphick <email address hidden>
Isle of Wight http://
GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA
"Whosoever therefore shall be ashamed of me and of my
words in this adulterous and sinful generation; of him
also shall the Son of man be ashamed, when he cometh
in the glory of his Father with the holy angels."
In Debian Bug tracker #278262, Florian Weimer (fw) wrote : | #15 |
* Joey Hess:
>> > It should be fixed, just in case someone happens to find it in the
>> > source package.
>>
>> Joey, I think you have rather lost your sense of proportion here.
>
> Not really; other linux dsitributions have shipped this script in binary
> packages, it's obviously not too unlikely that someone would find it and
> use it.
But any stable update has a potentially destabilizing effect, too, so
we have to carefully weigh our options. If a stable update is
scheduled because of the data loss bug, it should also incorporate the
security fix, but releasing a no-op security fix alone doesn't make
sense to me.
Martin Pitt (pitti) wrote : | #16 |
- interdiff to fix this Edit (2.7 KiB, text/plain)
Created an attachment (id=608)
interdiff to fix this
Bugzilla automatically closed the wrong duplicate bug, so I copy the interdiff
here.
In Debian Bug tracker #278262, Martin Pitt (pitti) wrote : | #17 |
Hi!
Florian Weimer [2004-10-26 19:01 +0200]:
> * Joey Hess:
>
> >> > It should be fixed, just in case someone happens to find it in the
> >> > source package.
> >>
> >> Joey, I think you have rather lost your sense of proportion here.
> >
> > Not really; other linux dsitributions have shipped this script in binary
> > packages, it's obviously not too unlikely that someone would find it and
> > use it.
>
> But any stable update has a potentially destabilizing effect, too, so
> we have to carefully weigh our options. If a stable update is
> scheduled because of the data loss bug, it should also incorporate the
> security fix, but releasing a no-op security fix alone doesn't make
> sense to me.
Just for the records again, we _do_ ship this file in
postgresql-contrib. I prepared an update which is currently in the
approval phase.
I would really like to put other fixes in to stable, too, but I
already asked several times to upload the (very sane) PostgreSQL point
releases, without success.
Martin
--
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
Martin Pitt (pitti) wrote : | #18 |
The Hoary version is not yet fixed, adapting severity and target. Warty version
was fixed by today's security upload.
Debian Bug Importer (debzilla) wrote : | #19 |
Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 12:20:50 -0400
From: Joey Hess <email address hidden>
To: Oliver Elphick <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#278262: file in tmp hole in make_oidjoins_check
--WplhKdTI2c8ulnbP
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Oliver Elphick wrote:
> On Mon, 2004-10-25 at 16:03 -0400, Joey Hess wrote:
> > Package: postgresql
> > Version: 7.3.4-9
> > Severity: normal
> > Tags: security
> >=20
> > The make_oidjoins_check script, which is only shipped in the source
> > package, creates /tmp files insecurely according to CAN-2004-0977 (and
> > I've verified this).
> >=20
> > It should be fixed, just in case someone happens to find it in the
> > source package.
>=20
> Joey, I think you have rather lost your sense of proportion here.
Not really; other linux dsitributions have shipped this script in binary
packages, it's obviously not too unlikely that someone would find it and
use it.
--=20
see shy jo
--WplhKdTI2c8ulnbP
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBfnlid8H
VfSe9Pb5SRKYr5X
=mw//
-----END PGP SIGNATURE-----
--WplhKdTI2c8ul
Debian Bug Importer (debzilla) wrote : | #20 |
Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 19:01:12 +0200
From: Florian Weimer <email address hidden>
To: Joey Hess <email address hidden>
Cc: <email address hidden>, Oliver Elphick <email address hidden>
Subject: Re: Bug#278262: file in tmp hole in make_oidjoins_check
* Joey Hess:
>> > It should be fixed, just in case someone happens to find it in the
>> > source package.
>>
>> Joey, I think you have rather lost your sense of proportion here.
>
> Not really; other linux dsitributions have shipped this script in binary
> packages, it's obviously not too unlikely that someone would find it and
> use it.
But any stable update has a potentially destabilizing effect, too, so
we have to carefully weigh our options. If a stable update is
scheduled because of the data loss bug, it should also incorporate the
security fix, but releasing a no-op security fix alone doesn't make
sense to me.
Debian Bug Importer (debzilla) wrote : | #21 |
Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 19:32:53 +0200
From: Martin Pitt <email address hidden>
To: Florian Weimer <email address hidden>, <email address hidden>
Cc: Joey Hess <email address hidden>
Subject: Re: Bug#278262: file in tmp hole in make_oidjoins_check
--7ZAtKRhVyVSsbBD2
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Hi!
Florian Weimer [2004-10-26 19:01 +0200]:
> * Joey Hess:
>=20
> >> > It should be fixed, just in case someone happens to find it in the
> >> > source package.
> >>=20
> >> Joey, I think you have rather lost your sense of proportion here.
> >
> > Not really; other linux dsitributions have shipped this script in binary
> > packages, it's obviously not too unlikely that someone would find it and
> > use it.
>=20
> But any stable update has a potentially destabilizing effect, too, so
> we have to carefully weigh our options. If a stable update is
> scheduled because of the data loss bug, it should also incorporate the
> security fix, but releasing a no-op security fix alone doesn't make
> sense to me.
Just for the records again, we _do_ ship this file in
postgresql-contrib. I prepared an update which is currently in the
approval phase.
I would really like to put other fixes in to stable, too, but I
already asked several times to upload the (very sane) PostgreSQL point
releases, without success.
Martin
--=20
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
--7ZAtKRhVyVSsbBD2
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBfopFDec
YzovVUm7kfjdK/
=D7Mm
-----END PGP SIGNATURE-----
--7ZAtKRhVyVSsb
In Debian Bug tracker #278262, Martin Pitt (pitti) wrote : Bug#278262: fixed in postgresql 7.4.6-1 | #22 |
Source: postgresql
Source-Version: 7.4.6-1
We believe that the bug you reported is fixed in the latest version of
postgresql, which is due to be installed in the Debian FTP archive:
libecpg-
to pool/main/
libecpg4_
to pool/main/
libpgtcl-
to pool/main/
libpgtcl_
to pool/main/
libpq3_
to pool/main/
postgresql-
to pool/main/
postgresql-
to pool/main/
postgresql-
to pool/main/
postgresql-
to pool/main/
postgresql_
to pool/main/
postgresql_
to pool/main/
postgresql_
to pool/main/
postgresql_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin Pitt <email address hidden> (supplier of updated postgresql package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 27 Oct 2004 12:08:01 +0200
Source: postgresql
Binary: postgresql-client libecpg4 libpgtcl-dev libpq3 postgresql-doc libecpg-dev postgresql-dev postgresql libpgtcl postgresql-contrib
Architecture: source i386 all
Version: 7.4.6-1
Distribution: unstable
Urgency: medium
Maintainer: Oliver Elphick <email address hidden>
Changed-By: Martin Pitt <email address hidden>
Description:
libecpg-dev - Shared library libecpg.so for PostgreSQL - development files
libecpg4 - Shared library libecpg.so.4 for PostgreSQL
libpgtcl - Tcl procedural language, library and front-end for PostgreSQL
libpgtcl-dev - Tcl library for PostgreSQL - development files
libpq3 - Shared library libpq.so.3 for PostgreSQL
postgresql - Object-relational SQL database, descended from POSTGRES
postgresql-client - Front-end programs for PostgreSQL
postgresql-contrib - Additional facilities for PostgreSQL
postgresql-dev - Header files for libpq (postgresql library)
postgresql-doc - Documentation for the PostgreSQL database
Closes: 273837 278262 278318 278336
Changes:
postgresql (7.4.6-1) unstable; urgency=medium
.
* New upstream security and bug fix release
- fix several bugs causing potential data loss and security
In Debian Bug tracker #278262, Martin Pitt (pitti) wrote : reopening 278336, tagging 278336 | #23 |
# Automatically generated email from bts, devscripts version 2.7.95.1
reopen 278336
tags 278336 woody pending
Debian Bug Importer (debzilla) wrote : | #24 |
Message-Id: <email address hidden>
Date: Wed, 27 Oct 2004 06:47:12 -0400
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: Bug#278262: fixed in postgresql 7.4.6-1
Source: postgresql
Source-Version: 7.4.6-1
We believe that the bug you reported is fixed in the latest version of
postgresql, which is due to be installed in the Debian FTP archive:
libecpg-
to pool/main/
libecpg4_
to pool/main/
libpgtcl-
to pool/main/
libpgtcl_
to pool/main/
libpq3_
to pool/main/
postgresql-
to pool/main/
postgresql-
to pool/main/
postgresql-
to pool/main/
postgresql-
to pool/main/
postgresql_
to pool/main/
postgresql_
to pool/main/
postgresql_
to pool/main/
postgresql_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin Pitt <email address hidden> (supplier of updated postgresql package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 27 Oct 2004 12:08:01 +0200
Source: postgresql
Binary: postgresql-client libecpg4 libpgtcl-dev libpq3 postgresql-doc libecpg-dev postgresql-dev postgresql libpgtcl postgresql-contrib
Architecture: source i386 all
Version: 7.4.6-1
Distribution: unstable
Urgency: medium
Maintainer: Oliver Elphick <email address hidden>
Changed-By: Martin Pitt <email address hidden>
Description:
libecpg-dev - Shared library libecpg.so for PostgreSQL - development files
libecpg4 - Shared library libecpg.so.4 for PostgreSQL
libpgtcl - Tcl procedural language, library and front-end for PostgreSQL
libpgtcl-dev - Tcl library for PostgreSQL - development files
libpq3 - Shared library libpq.so.3 for PostgreSQL
postgresql - Object-relational SQL database, descended from POSTGRES
postgresql-client - Front-end programs for PostgreSQL
postgresql-contrib - Additional facilities for PostgreSQL
postgresql-dev - Header files for libpq (postgresql library)
postgresql-doc - Documentation for the PostgreSQL database
Closes: 273837 278262 2...
Martin Pitt (pitti) wrote : | #25 |
Fixed in Debian now, should automatically go into Hoary with one of the next syncs.
Debian Bug Importer (debzilla) wrote : | #26 |
Message-Id: <email address hidden>
Date: Wed, 27 Oct 2004 13:30:19 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: reopening 278336, tagging 278336
# Automatically generated email from bts, devscripts version 2.7.95.1
reopen 278336
tags 278336 woody pending
Martin Pitt (pitti) wrote : | #27 |
Fixed by the recent sid sync.
In Debian Bug tracker #278262, Martin Pitt (pitti) wrote : Fwd: Accepted postgresql 7.2.1-2woody6 (i386 source all) | #28 |
Hi!
The woody version is published, so this bug can be closed.
Martin
----- Forwarded message from Martin Pitt <email address hidden> -----
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: Accepted postgresql 7.2.1-2woody6 (i386 source all)
Date: Fri, 29 Oct 2004 06:17:12 -0400
X-Spam-Status: No, hits=-1.5 required=4.0 tests=AWL autolearn=no version=2.64
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 26 Oct 2004 15:54:22 +0200
Source: postgresql
Binary: libpgtcl postgresql pgaccess odbc-postgresql libpgperl postgresql-client libecpg3 postgresql-contrib postgresql-dev postgresql-doc python-pygresql libpgsql2
Architecture: source all i386
Version: 7.2.1-2woody6
Distribution: stable-security
Urgency: high
Maintainer: Martin Pitt <email address hidden>
Changed-By: Martin Pitt <email address hidden>
Description:
libecpg3 - Shared library libecpg.so.3 for PostgreSQL
libpgperl - Perl modules for PostgreSQL.
libpgsql2 - Shared library libpq.so.2 for PostgreSQL
libpgtcl - Tcl/Tk library and front-end for PostgreSQL.
odbc-postgresql - ODBC support for PostgreSQL
pgaccess - Tk/Tcl front-end for PostgreSQL database
postgresql - Object-relational SQL database, descended from POSTGRES.
postgresql-client - Front-end programs for PostgreSQL
postgresql-contrib - Additional facilities for PostgreSQL
postgresql-dev - Header files for libpq (postgresql library)
postgresql-doc - Documentation for the PostgreSQL database.
python-pygresql - PostgreSQL module for Python
Changes:
postgresql (7.2.1-2woody6) stable-security; urgency=high
.
* Security upload to fix insecure temporary file handling in
contrib/
- use version from upstream release 7.2.6 as basis (introduces proper
variables for the file names instead of repeatedly constructing them
inline)
- upstream still uses the $$ method for constructing file names; changed
that to use mktemp
* References:
CAN-2004-0977
http://
http://
Files:
ded5f8b8dc34a7
deb2918afe3763
761ab47664aa20
43435859901064
8a7f14be36ffcc
0fd18eb00f7af4
65fbeef01507d3
10c495dd0a5899
0d398d95a78ff3
d18dd3267716ed
1ea1649f965263
1d10d4b588aed5
cf5ade712d1...
Debian Bug Importer (debzilla) wrote : | #29 |
Message-ID: <email address hidden>
Date: Fri, 29 Oct 2004 12:41:01 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: Fwd: Accepted postgresql 7.2.1-2woody6 (i386 source all)
--PNTmBPCT7hxwcZjr
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Hi!
The woody version is published, so this bug can be closed.
Martin
----- Forwarded message from Martin Pitt <email address hidden> -----
=46rom: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: Accepted postgresql 7.2.1-2woody6 (i386 source all)
Date: Fri, 29 Oct 2004 06:17:12 -0400
X-Spam-Status: No, hits=3D-1.5 required=3D4.0 tests=3DAWL autolearn=3Dno ve=
rsion=3D2.64
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 26 Oct 2004 15:54:22 +0200
Source: postgresql
Binary: libpgtcl postgresql pgaccess odbc-postgresql libpgperl postgresql-c=
lient libecpg3 postgresql-contrib postgresql-dev postgresql-doc python-pygr=
esql libpgsql2
Architecture: source all i386
Version: 7.2.1-2woody6
Distribution: stable-security
Urgency: high
Maintainer: Martin Pitt <email address hidden>
Changed-By: Martin Pitt <email address hidden>
Description:=20
libecpg3 - Shared library libecpg.so.3 for PostgreSQL
libpgperl - Perl modules for PostgreSQL.
libpgsql2 - Shared library libpq.so.2 for PostgreSQL
libpgtcl - Tcl/Tk library and front-end for PostgreSQL.
odbc-postgresql - ODBC support for PostgreSQL
pgaccess - Tk/Tcl front-end for PostgreSQL database
postgresql - Object-relational SQL database, descended from POSTGRES.
postgresql-client - Front-end programs for PostgreSQL
postgresql-contrib - Additional facilities for PostgreSQL
postgresql-dev - Header files for libpq (postgresql library)
postgresql-doc - Documentation for the PostgreSQL database.
python-pygresql - PostgreSQL module for Python
Changes:=20
postgresql (7.2.1-2woody6) stable-security; urgency=3Dhigh
.
* Security upload to fix insecure temporary file handling in
contrib/
- use version from upstream release 7.2.6 as basis (introduces proper
variables for the file names instead of repeatedly constructing them
inline)
- upstream still uses the $$ method for constructing file names; chang=
ed
that to use mktemp
* References:
CAN-2004-0977
http://
http://
Files:=20
ded5f8b8dc34a7
6.dsc
deb2918afe3763
ody6.diff.gz
761ab47664aa20
-2woody6_all.deb
43435859901064
oody6_i386.deb
8a7f14be36ffcc
2.1-2woody6_
0fd18eb00f7af4
1-2woody6_i386.deb
65fbeef01507d3
y6_i386.deb
10c495dd0a5899
Changed in postgresql: | |
status: | Unknown → Fix Released |
On Mon, 2004-10-25 at 16:03 -0400, Joey Hess wrote:
> Package: postgresql
> Version: 7.3.4-9
> Severity: normal
> Tags: security
>
> The make_oidjoins_check script, which is only shipped in the source
> package, creates /tmp files insecurely according to CAN-2004-0977 (and
> I've verified this).
>
> It should be fixed, just in case someone happens to find it in the
> source package.
Joey, I think you have rather lost your sense of proportion here.
We should next remove the upstream source, in case someone finds it
there...
-- www.lfix. co.uk/oliver
==== ======= ======= ======= ======= ======= =
Mark 8:38
Oliver Elphick <email address hidden>
Isle of Wight http://
GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA
"Whosoever therefore shall be ashamed of me and of my
words in this adulterous and sinful generation; of him
also shall the Son of man be ashamed, when he cometh
in the glory of his Father with the holy angels."