Re: Zlib vulnerability heads-up.
Jan Wieck <janwieck@yahoo.com>
From: Jan Wieck <janwieck@yahoo.com>
To: Lamar Owen <lamar.owen@wgcr.org>
Cc: Trond Eivind Glomsrød <teg@redhat.com>, pgsql-hackers@postgresql.org
Date: 2002-03-12T21:00:56Z
Lists: pgsql-hackers, pgsql-general
Lamar Owen wrote:
> On Tuesday 12 March 2002 11:24 am, Trond Eivind Glomsrød wrote:
> > Lamar Owen <lamar.owen@wgcr.org> writes:
> > > Updating zlib is strongly recommended by many sources, and a patch is
> > > available.
>
> > FWIW, I really doubt this is much of a problem for postgresql. It's
> > mainly a problem for applications dealing with untrusted, compressed
> > data (webbrowsers, imageviewers, programs with skins downloaded from
> > the Internet) etc.
>
> It's probably NOT a big problem; but it IS a bug in an underlying library.
If fact, it isn't a problem at all. The only data any
PostgreSQL DBA would ever pump into a restore is something he
built himself or something he got from a secure source,
right? I mean, you don't feed some unknown script you found
on the net into the DB as the PostgreSQL superuser. In that
case, someone doesn't need to hand-craft such bad compressed
data, he can simply use the \! functionality of psql in his
script to do whatever he wants as user postgres.
Jan
--
#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me. #
#================================================== JanWieck@Yahoo.com #
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com