Hi PostgreSQL developers! Debian's security audit team recently reviewed PostgreSQL for insecure temporary file usage and found that a lot of the developer tools and also some build tools are vulnerable against symlink attacks.
Please see http://bugs.debian.org/291962 for the detailled report and a proposed patch. However, the patch mostly relies on mktemp and/or tempfile, which might not be available on all platforms that PostgreSQL supports, so the patch should be regarded as a pointer to the issues, not as their solution. In many cases the usage of a temporary file is not necessary in the first place and can be replaced by piping (as I did with src/test/bench/perquery) or "OUTPUT=$(program args)" constructs. If neither is possible, then the script should at least be run with "set -o noclobber" (or "#!/bin/sh -C", which does the same). Apart from the Debian-specific issues of the bug report (which I already fixed), the following files were found to be vulnerable: Used in build, fixed for Debian (see attached patch): postgresql-7.4.6/src/backend/catalog/genbki.sh postgresql-7.4.6/src/test/bench/perquery Not shipped in the Debian package, since it is useless: postgresql-7.4.6/contrib/pg_upgrade/pg_upgrade Not used anywhere in the source, not fixed in Debian package: postgresql-7.4.6/src/include/catalog/duplicate_oids postgresql-7.4.6/src/tools/ccsym postgresql-7.4.6/src/tools/find_static postgresql-7.4.6/src/tools/make_ctags postgresql-7.4.6/src/tools/make_etags postgresql-7.4.6/src/tools/pgtest postgresql-7.4.6/src/tools/pginclude/pgcompinclude postgresql-7.4.6/src/tools/pginclude/pgdefine postgresql-7.4.6/src/tools/pginclude/pgfixinclude postgresql-7.4.6/src/tools/pginclude/pgrminclude postgresql-7.4.6/src/tools/pgindent/pgcppindent postgresql-7.4.6/src/tools/pgindent/pgindent postgresql-7.4.6/src/tools/pgindent/pgjindent postgresql-7.4.6/contrib/tools/add-emacs-variables Most of the tools are irrelevant for the sake of package building and shipping, but they might be commonly used on PostgreSQL developer's machines, so it might be a good idea to fix then eventually. Thanks for considering and for your great work and have a nice day! Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntulinux.org Debian GNU/Linux Developer http://www.debian.org
diff -ruN postgresql-7.4.6-old/src/backend/catalog/genbki.sh
postgresql-7.4.6/src/backend/catalog/genbki.sh
--- postgresql-7.4.6-old/src/backend/catalog/genbki.sh 2003-07-29
16:12:50.000000000 +0200
+++ postgresql-7.4.6/src/backend/catalog/genbki.sh 2005-01-24
21:53:09.563245616 +0100
@@ -108,12 +108,7 @@
exit 1
fi
-if [ x"$TMPDIR" = x"" ] ; then
- TMPDIR=/tmp
-fi
-
-
-TMPFILE="$TMPDIR/genbkitmp$$.c"
+TMPFILE=$(tempfile --prefix=genbki --suffix=.c) || { echo "$0: Cannot create
temporary file" >&2; exit 1; }
trap "rm -f $TMPFILE ${OUTPUT_PREFIX}.bki.$$ ${OUTPUT_PREFIX}.description.$$"
0 1 2 3 15
diff -ruN postgresql-7.4.6-old/src/test/bench/perquery
postgresql-7.4.6/src/test/bench/perquery
--- postgresql-7.4.6-old/src/test/bench/perquery 1996-07-09
08:22:21.000000000 +0200
+++ postgresql-7.4.6/src/test/bench/perquery 2005-01-24 21:55:49.009006176
+0100
@@ -1,12 +1,11 @@
#!/bin/sh
-egrep 'x = "|elapse' > /tmp/foo$$
-
+egrep 'x = "|elapse' | \
awk 'BEGIN { x = 0; y = 0; z = 0; a = 0; } \
/.*elapse.*/ {x = $2 + x; y = $4 + y; z = $6 + z;} \
/.*x = ".*/ { \
printf "query %2d: %7.3f real %7.3f user %7.3f sys\n", a, x, y, z; \
x = 0; y = 0; z = 0; a = a + 1; } \
- END {printf("query %2d: %7.3f real %7.3f user %7.3f sys\n", a, x, y,
z);}' \
- < /tmp/foo$$
+ END {printf("query %2d: %7.3f real %7.3f user %7.3f sys\n", a, x, y,
z);}'
+
signature.asc
Description: Digital signature
