Debian Bug report logs - #692103
pgbouncer: add_database: fail gracefully if too long db name

version graph

Package: pgbouncer; Maintainer for pgbouncer is Christoph Berg <myon@debian.org>; Source for pgbouncer is src:pgbouncer.

Reported by: Christoph Berg <myon@debian.org>

Date: Fri, 2 Nov 2012 08:57:02 UTC

Severity: grave

Tags: security

Found in versions pgbouncer/1.3.3-2, pgbouncer/1.5.2-1

Fixed in versions pgbouncer/1.5.3-1, pgbouncer/1.5.2-4

Done: Christoph Berg <myon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, markus@bluegap.ch:
Bug#692103; Package pgbouncer. (Fri, 02 Nov 2012 08:57:04 GMT) Full text and rfc822 format available.

Message #3 received at submit@bugs.debian.org (full text, mbox):

From: Christoph Berg <myon@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pgbouncer: add_database: fail gracefully if too long db name
Date: Fri, 2 Nov 2012 09:53:36 +0100
[Message part 1 (text/plain, inline)]
Package: pgbouncer
Version: 1.5.2-1
Severity: grave
Tags: security

pgbouncer 1.5.3-1 in experimental fixes a DoS situation where large
database names can lead to server shutdown.

http://git.postgresql.org/gitweb/?p=pgbouncer.git;a=commitdiff;h=4b92112b820830b30cd7bc91bef3dd8f35305525

add_database: fail gracefully if too long db name

author Marko Kreen <markokr@gmail.com>
 Mon, 10 Sep 2012 10:07:43 +0000 (13:07 +0300)

Truncating & adding can lead to fatal() later.

It was not an issue before, but with audodb (* in [databases] section)
the database name can some from network, thus allowing remote shutdown..

src/objects.c

diff --git a/src/objects.c b/src/objects.c
index 3aeb36e..b61387f 100644 (file)
--- a/src/objects.c
+++ b/src/objects.c
@@ -303,7 +303,11 @@ PgDatabase *add_database(const char *name)
                        return NULL;
 
                list_init(&db->head);
-               safe_strcpy(db->name, name, sizeof(db->name));
+               if (strlcpy(db->name, name, sizeof(db->name)) >= sizeof(db->name)) {
+                       log_warning("Too long db name: %s", name);
+                       slab_free(db_cache, db);
+                       return NULL;
+               }
                put_in_order(&db->head, &database_list, cmp_database);
        }
 

Thanks to Markus Wanner for helping investigating the issue.

Christoph
-- 
cb@df7cb.de | http://www.df7cb.de/
[signature.asc (application/pgp-signature, inline)]

Reply sent to Christoph Berg <myon@debian.org>:
You have taken responsibility. (Fri, 02 Nov 2012 09:51:07 GMT) Full text and rfc822 format available.

Notification sent to Christoph Berg <myon@debian.org>:
Bug acknowledged by developer. (Fri, 02 Nov 2012 09:51:08 GMT) Full text and rfc822 format available.

Message #8 received at 692103-close@bugs.debian.org (full text, mbox):

From: Christoph Berg <myon@debian.org>
To: 692103-close@bugs.debian.org
Subject: Bug#692103: fixed in pgbouncer 1.5.2-4
Date: Fri, 02 Nov 2012 09:47:45 +0000
Source: pgbouncer
Source-Version: 1.5.2-4

We believe that the bug you reported is fixed in the latest version of
pgbouncer, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 692103@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christoph Berg <myon@debian.org> (supplier of updated pgbouncer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 02 Nov 2012 10:05:27 +0100
Source: pgbouncer
Binary: pgbouncer
Architecture: source amd64
Version: 1.5.2-4
Distribution: unstable
Urgency: medium
Maintainer: Christoph Berg <myon@debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Description: 
 pgbouncer  - lightweight connection pooler for PostgreSQL
Closes: 692103
Changes: 
 pgbouncer (1.5.2-4) unstable; urgency=medium
 .
   * Cherry-pick from 1.5.3:  Closes: #692103.
     http://git.postgresql.org/gitweb/?p=pgbouncer.git;a=commitdiff;h=4b92112b820830b30cd7bc91bef3dd8f35305525
     Thanks to Markus Wanner for helping fix this.
 .
     = Critical fix =
     * Too long database names can lead to crash, which
       is remotely triggerable if autodbs are enabled.
 .
       The original checks assumed all names come from config files,
       thus using fatal() was fine, but when autodbs are enabled
       - by '*' in [databases] section - the database name can come
       from network thus making remote shutdown possible.
Checksums-Sha1: 
 597fe8fb1dac2f98c38ca1f0d31a6c0811e99ecf 1999 pgbouncer_1.5.2-4.dsc
 a8bf08382ef8b6e876538fdf6124ba4103ad374d 7275 pgbouncer_1.5.2-4.debian.tar.gz
 e483a6ad763a008927f87f8f2628c3fd2afd2458 150598 pgbouncer_1.5.2-4_amd64.deb
Checksums-Sha256: 
 1a5dfc1e806b81f56d95e0fdbbe054ac85bd24083b14c99a5ced706a8babdc01 1999 pgbouncer_1.5.2-4.dsc
 6f78ceeb86889dfe1646269e4ea70e752944a389b37d4bac97f7c86dbed68e16 7275 pgbouncer_1.5.2-4.debian.tar.gz
 7f05d6c80af84526cba319a154d31431c6661b4323bfa3fac990211e38472d14 150598 pgbouncer_1.5.2-4_amd64.deb
Files: 
 77b1ff143f58478239a4bac3d0418e46 1999 database optional pgbouncer_1.5.2-4.dsc
 6b45a0392a6c22e1f3b6f67fc18ba094 7275 database optional pgbouncer_1.5.2-4.debian.tar.gz
 3480cf4748173f480976c37807d28f78 150598 database optional pgbouncer_1.5.2-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQk5UgAAoJEExaa6sS0qeuovYP/3mJtoqJ8XoFS2AjwhXTLOKo
g7RPnuw4TFwP6Pv7mo5hWNQKrDtFOuljw/5gVEEHuN64AsdPahlvCJrii0CKdzrv
/1PAU60ixKb2aHgvXii2+cdbGRQjb6Ntj/+JEUG8Z7YqQkNXdx1m5JnFZlo9DR/m
qrl5h8Pk9k8ccNapatucUpECYo4xDTTlq18xFKZAFNa83s5AEgiYhZFlMN5o1hEk
BsYGZxhoAnmyDD+vEZxFSPlcQVrGTvzGjVckjAPT9F2BJrRvE3WGQC7DKRi3oOR3
FpO5L5sKs0cdltHP4l5COm7eZySnmbNPVGWfNJZKiy16Rp543BPrRBJr03N49dx7
f882hK1eqn5R4H7skZ4Q89lIXr9sTHVr6G/Upw4d8QRpfaF4ut1x3D5c61DeliJ1
0HgRkGHC0r2RrnTa4J5IYuq3qsFMFNZXqFVrF/tFqA0AqLm5dhtJ+I47d/5bEIQq
lQrujJcVaSJAb9pxXiw+tgdyhpICX9yX+5Hjr6o/d/NiZLJPhstdyuzzMe7N9Wwp
aOLSIyaRp2spc4Wtr47L+k/J0jtXlt3goexZl5wJxo8jjHaAzZjQS8SIZTEenEYn
LJBoOeRcLa5BEbRrvfAAxXqzVxup3juD97bkfIQSFTPsn/1y7VpBNZPD39fVTOkl
pouZhcaPHH0TB7hguXMM
=TBGL
-----END PGP SIGNATURE-----




Marked as found in versions pgbouncer/1.3.3-2. Request was from Christoph Berg <myon@debian.org> to control@bugs.debian.org. (Fri, 02 Nov 2012 11:27:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Berg <myon@debian.org>:
Bug#692103; Package pgbouncer. (Sat, 03 Nov 2012 05:48:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to hans eisenrieder <eisenrieder@googlemail.com>:
Extra info received and forwarded to list. Copy sent to Christoph Berg <myon@debian.org>. (Sat, 03 Nov 2012 05:48:08 GMT) Full text and rfc822 format available.

Message #15 received at 692103@bugs.debian.org (full text, mbox):

From: hans eisenrieder <eisenrieder@googlemail.com>
To: Christoph Berg <myon@debian.org>, 692103@bugs.debian.org, Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Unsubscribe
Date: Sat, 3 Nov 2012 06:45:47 +0100
[Message part 1 (text/plain, inline)]
Unsubscribe
2012/11/2 Christoph Berg <myon@debian.org>

> Package: pgbouncer
> Version: 1.5.2-1
> Severity: grave
> Tags: security
>
> pgbouncer 1.5.3-1 in experimental fixes a DoS situation where large
> database names can lead to server shutdown.
>
>
> http://git.postgresql.org/gitweb/?p=pgbouncer.git;a=commitdiff;h=4b92112b820830b30cd7bc91bef3dd8f35305525
>
> add_database: fail gracefully if too long db name
>
> author Marko Kreen <markokr@gmail.com>
>  Mon, 10 Sep 2012 10:07:43 +0000 (13:07 +0300)
>
> Truncating & adding can lead to fatal() later.
>
> It was not an issue before, but with audodb (* in [databases] section)
> the database name can some from network, thus allowing remote shutdown..
>
> src/objects.c
>
> diff --git a/src/objects.c b/src/objects.c
> index 3aeb36e..b61387f 100644 (file)
> --- a/src/objects.c
> +++ b/src/objects.c
> @@ -303,7 +303,11 @@ PgDatabase *add_database(const char *name)
>                         return NULL;
>
>                 list_init(&db->head);
> -               safe_strcpy(db->name, name, sizeof(db->name));
> +               if (strlcpy(db->name, name, sizeof(db->name)) >=
> sizeof(db->name)) {
> +                       log_warning("Too long db name: %s", name);
> +                       slab_free(db_cache, db);
> +                       return NULL;
> +               }
>                 put_in_order(&db->head, &database_list, cmp_database);
>         }
>
>
> Thanks to Markus Wanner for helping investigating the issue.
>
> Christoph
> --
> cb@df7cb.de | http://www.df7cb.de/
>



-- 
Hans Eisenrieder

Färbergasse 7a
85080 Gaimersheim

Tel.   08458 345650
Fax   08458 3438663
Mobil 0170 5596261
<eisenrieder@gmail.com>
[Message part 2 (text/html, inline)]

Marked as fixed in versions pgbouncer/1.5.3-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 08 Nov 2012 18:36:03 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 02 Jun 2013 07:28:39 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 08:24:57 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.