Re: Security lessons from liblzma - libsystemd

Étienne BERSAC <etienne.bersac@dalibo.com>

From: Étienne BERSAC <etienne.bersac@dalibo.com>
To: Peter Eisentraut <peter@eisentraut.org>, Magnus Hagander <magnus@hagander.net>, Andres Freund <andres@anarazel.de>
Cc: Bruce Momjian <bruce@momjian.us>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2024-04-08T10:05:18Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Introduce a non-recursive JSON parser

Hi,

> There are many more interesting and scary libraries in the dependency
> tree of "postgres", so just picking off one right now doesn't really
> accomplish anything.  The next release of libsystemd will drop all
> the compression libraries as hard dependencies, so the issue in that
> sense is gone anyway.  Also, fun fact: liblzma is also a dependency
> via libxml2.

Having an audit of all libraries linked to postgres and their level of
trust should help to point the next weak point. I'm pretty sure we have
several of these tiny libraries maintained by a lone out of time hacker
linked somewhere. What is the next xz ?

Regards,
Étienne 
-- 
DALIBO