Prevent execution of enum_recv() from SQL.

This function was misdeclared to take cstring when it should take internal. This at least allows crashing the server, and in principle an attacker might be able to use the function to examine the contents of server memory. The correct fix is to adjust the system catalog contents (and fix the regression tests that should have caught this but failed to). However, asking users to correct the catalog contents in existing installations is a pain, so as a band-aid fix for the back branches, install a check in enum_recv() to make it throw error if called with a cstring argument. We will later revert this in HEAD in favor of correcting the catalogs. Our thanks to Sumit Soni (via Secunia SVCRP) for reporting this issue. Security: CVE-2013-0255

Prevent execution of enum_recv() from SQL.
This function was misdeclared to take cstring when it should take internal. This at least allows crashing the server, and in principle an attacker might be able to use the function to examine the contents of server memory. The correct fix is to adjust the system catalog contents (and fix the regression tests that should have caught this but failed to). However, asking users to correct the catalog contents in existing installations is a pain, so as a band-aid fix for the back branches, install a check in enum_recv() to make it throw error if called with a cstring argument. We will later revert this in HEAD in favor of correcting the catalogs. Our thanks to Sumit Soni (via Secunia SVCRP) for reporting this issue. Security: CVE-2013-0255
ab0f7b60 · Tom Lane · 318db6b2 · ab0f7b60 · ab0f7b60 · ab0f7b60
Commit ab0f7b60 authored Feb 04, 2013 by Tom Lane
6 changed files
--- a/doc/src/sgml/release-8.3.sgml
+++ b/doc/src/sgml/release-8.3.sgml
@@ -40,6 +40,19 @@

   <itemizedlist>

+    <listitem>
+     <para>
+      Prevent execution of <function>enum_recv</> from SQL (Tom Lane)
+     </para>
+
+     <para>
+      The function was misdeclared, allowing a simple SQL command to crash the
+      server.  In principle an attacker might be able to use it to examine the
+      contents of server memory.  Our thanks to Sumit Soni (via Secunia SVCRP)
+      for reporting this issue.  (CVE-2013-0255)
+     </para>
+    </listitem>
+
    <listitem>
     <para>
      Fix SQL grammar to allow subscripting or field selection from a

--- a/doc/src/sgml/release-8.4.sgml
+++ b/doc/src/sgml/release-8.4.sgml
@@ -34,6 +34,19 @@

   <itemizedlist>

+    <listitem>
+     <para>
+      Prevent execution of <function>enum_recv</> from SQL (Tom Lane)
+     </para>
+
+     <para>
+      The function was misdeclared, allowing a simple SQL command to crash the
+      server.  In principle an attacker might be able to use it to examine the
+      contents of server memory.  Our thanks to Sumit Soni (via Secunia SVCRP)
+      for reporting this issue.  (CVE-2013-0255)
+     </para>
+    </listitem>
+
    <listitem>
     <para>
      Update minimum recovery point when truncating a relation file (Heikki

--- a/doc/src/sgml/release-9.0.sgml
+++ b/doc/src/sgml/release-9.0.sgml
@@ -34,6 +34,19 @@

   <itemizedlist>

+    <listitem>
+     <para>
+      Prevent execution of <function>enum_recv</> from SQL (Tom Lane)
+     </para>
+
+     <para>
+      The function was misdeclared, allowing a simple SQL command to crash the
+      server.  In principle an attacker might be able to use it to examine the
+      contents of server memory.  Our thanks to Sumit Soni (via Secunia SVCRP)
+      for reporting this issue.  (CVE-2013-0255)
+     </para>
+    </listitem>
+
    <listitem>
     <para>
      Fix multiple problems in detection of when a consistent database

--- a/doc/src/sgml/release-9.1.sgml
+++ b/doc/src/sgml/release-9.1.sgml
@@ -34,6 +34,19 @@

   <itemizedlist>

+    <listitem>
+     <para>
+      Prevent execution of <function>enum_recv</> from SQL (Tom Lane)
+     </para>
+
+     <para>
+      The function was misdeclared, allowing a simple SQL command to crash the
+      server.  In principle an attacker might be able to use it to examine the
+      contents of server memory.  Our thanks to Sumit Soni (via Secunia SVCRP)
+      for reporting this issue.  (CVE-2013-0255)
+     </para>
+    </listitem>
+
    <listitem>
     <para>
      Fix multiple problems in detection of when a consistent database

--- a/doc/src/sgml/release-9.2.sgml
+++ b/doc/src/sgml/release-9.2.sgml
@@ -34,6 +34,19 @@

   <itemizedlist>

+    <listitem>
+     <para>
+      Prevent execution of <function>enum_recv</> from SQL (Tom Lane)
+     </para>
+
+     <para>
+      The function was misdeclared, allowing a simple SQL command to crash the
+      server.  In principle an attacker might be able to use it to examine the
+      contents of server memory.  Our thanks to Sumit Soni (via Secunia SVCRP)
+      for reporting this issue.  (CVE-2013-0255)
+     </para>
+    </listitem>
+
    <listitem>
     <para>
      Fix multiple problems in detection of when a consistent database

--- a/src/backend/utils/adt/enum.c
+++ b/src/backend/utils/adt/enum.c
@@ -18,6 +18,7 @@
 #include "access/htup_details.h"
 #include "catalog/indexing.h"
 #include "catalog/pg_enum.h"
+#include "catalog/pg_type.h"
 #include "libpq/pqformat.h"
 #include "utils/array.h"
 #include "utils/builtins.h"
@@ -104,6 +105,10 @@ enum_recv(PG_FUNCTION_ARGS)
 	char	   *name;
 	int			nbytes;

+	/* guard against pre-9.3 misdeclaration of enum_recv */
+	if (get_fn_expr_argtype(fcinfo->flinfo, 0) == CSTRINGOID)
+		elog(ERROR, "invalid argument for enum_recv");
+
 	name = pq_getmsgtext(buf, buf->len - buf->cursor, &nbytes);

 	/* must check length to prevent Assert failure within SearchSysCache */