Control: retitle -1 unblock: pgbouncer/1.5.2-4 Re: To Debian Bug Tracking System 2012-10-22 <20121022145326.GA13202@msgid.df7cb.de> > unblock pgbouncer/1.5.2-3 In the meantime, there's an additional fix for #692103 (grave) in unstable: diff -Nru pgbouncer-1.5.2/debian/changelog pgbouncer-1.5.2/debian/changelog --- pgbouncer-1.5.2/debian/changelog 2012-10-07 19:16:41.000000000 +0200 +++ pgbouncer-1.5.2/debian/changelog 2012-11-02 10:07:46.000000000 +0100 @@ -1,3 +1,20 @@ +pgbouncer (1.5.2-4) unstable; urgency=medium + + * Cherry-pick from 1.5.3: Closes: #692103. + http://git.postgresql.org/gitweb/?p=pgbouncer.git;a=commitdiff;h=4b92112b820830b30cd7bc91bef3dd8f35305525 + Thanks to Markus Wanner for helping fix this. + + = Critical fix = + * Too long database names can lead to crash, which + is remotely triggerable if autodbs are enabled. + + The original checks assumed all names come from config files, + thus using fatal() was fine, but when autodbs are enabled + - by '*' in [databases] section - the database name can come + from network thus making remote shutdown possible. + + -- Christoph Berg <myon@debian.org> Fri, 02 Nov 2012 10:05:27 +0100 + pgbouncer (1.5.2-3) unstable; urgency=low * Re-add check for START=0 in the init script. Spotted by Sergey Burladyan. diff -Nru pgbouncer-1.5.2/debian/patches/692103-long-db-name pgbouncer-1.5.2/debian/patches/692103-long-db-name --- pgbouncer-1.5.2/debian/patches/692103-long-db-name 1970-01-01 01:00:00.000000000 +0100 +++ pgbouncer-1.5.2/debian/patches/692103-long-db-name 2012-11-02 10:10:41.000000000 +0100 @@ -0,0 +1,15 @@ +--- a/src/objects.c ++++ b/src/objects.c +@@ -303,7 +303,11 @@ + return NULL; + + list_init(&db->head); +- safe_strcpy(db->name, name, sizeof(db->name)); ++ if (strlcpy(db->name, name, sizeof(db->name)) >= sizeof(db->name)) { ++ log_warning("Too long db name: %s", name); ++ slab_free(db_cache, db); ++ return NULL; ++ } + put_in_order(&db->head, &database_list, cmp_database); + } + diff -Nru pgbouncer-1.5.2/debian/patches/series pgbouncer-1.5.2/debian/patches/series --- pgbouncer-1.5.2/debian/patches/series 2012-10-07 17:23:40.000000000 +0200 +++ pgbouncer-1.5.2/debian/patches/series 2012-11-02 10:09:33.000000000 +0100 @@ -1 +1,2 @@ +692103-long-db-name debian-config Please unblock pgbouncer/1.5.2-4 Thanks, Christoph -- cb@df7cb.de | http://www.df7cb.de/
Attachment:
signature.asc
Description: Digital signature