Re: Securing "make check" (CVE-2014-0067)

Noah Misch <noah@leadboat.com>

From: Noah Misch <noah@leadboat.com>
To: Christoph Berg <cb@df7cb.de>
Cc: pgsql-hackers@postgresql.org, Tom Lane <tgl@sss.pgh.pa.us>, Bruce Momjian <bruce@momjian.us>, Peter Eisentraut <peter_e@gmx.net>
Date: 2014-07-08T17:41:25Z
Lists: pgsql-hackers
On Tue, Jul 08, 2014 at 07:02:04PM +0200, Christoph Berg wrote:
> Re: Noah Misch 2014-06-08 <20140608135713.GA525142@tornado.leadboat.com>
> > Here's an update that places the socket in a temporary subdirectory of /tmp.
> > The first attached patch adds NetBSD mkdtemp() to libpgport.  The second,
> > principal, patch uses mkdtemp() to implement this design in pg_regress.  The
> > corresponding change to contrib/pg_upgrade/test.sh is based on the "configure"
> > script's arrangements for its temporary directory.
> 
> Hi,
> 
> I believe pg_upgrade itself still needs a fix. While it's not a
> security problem to put the socket in $CWD while upgrading (it is
> using -c unix_socket_permissions=0700), this behavior is pretty
> unexpected, and does fail if your $CWD is > 107 bytes.
> 
> In f545d233ebce6971b6f9847680e48b679e707d22 Peter fixed the pg_ctl
> perl tests to avoid that problem, so imho it would make even more
> sense to fix pg_upgrade which could also fail in production.

+1.  Does writing that patch interest you?

-- 
Noah Misch
EnterpriseDB                                 http://www.enterprisedb.com


Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Have config_sspi_auth() permit IPv6 localhost connections.

  2. Lock down regression testing temporary clusters on Windows.

  3. Use a separate temporary directory for the Unix-domain socket

  4. Secure Unix-domain sockets of "make check" temporary clusters.