[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#858547: jessie-pu: package plv8/1.4.2.ds-2+deb8u1



Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I would like to upload plv8 to jessie. Is that acceptable?

As per [1], a security upload is not applicable.

[1] https://www.debian.org/releases/jessie/amd64/release-notes/ch-information.en.html#libv8

diff -Nru plv8-1.4.2.ds/debian/changelog plv8-1.4.2.ds/debian/changelog
--- plv8-1.4.2.ds/debian/changelog	2014-07-28 12:58:12.000000000 +0200
+++ plv8-1.4.2.ds/debian/changelog	2017-03-23 10:59:59.000000000 +0100
@@ -1,3 +1,9 @@
+plv8 (1.4.2.ds-2+deb8u1) jessie; urgency=high
+
+  * Security bugfix picked from 1.4.9: Check for permission to call functions.
+
+ -- Christoph Berg <christoph.berg@credativ.de>  Thu, 23 Mar 2017 10:59:59 +0100
+
 plv8 (1.4.2.ds-2) unstable; urgency=medium
 
   * Pull patches from upstream to support PostgreSQL 9.4.
diff -Nru plv8-1.4.2.ds/debian/patches/90a57729abb488bf830c2f9783353dfe353ca4f0 plv8-1.4.2.ds/debian/patches/90a57729abb488bf830c2f9783353dfe353ca4f0
--- plv8-1.4.2.ds/debian/patches/90a57729abb488bf830c2f9783353dfe353ca4f0	1970-01-01 01:00:00.000000000 +0100
+++ plv8-1.4.2.ds/debian/patches/90a57729abb488bf830c2f9783353dfe353ca4f0	2017-03-23 10:58:46.000000000 +0100
@@ -0,0 +1,78 @@
+diff --git a/expected/startup.out b/expected/startup.out
+index 0cd9941..0bc62d1 100644
+--- a/expected/startup.out
++++ b/expected/startup.out
+@@ -1,7 +1,7 @@
+ -- test startup failure
+ set plv8.start_proc = foo;
+ do $$ plv8.elog(NOTICE, 'foo = ' + foo) $$ language plv8;
+-WARNING:  failed to find js function function "foo" does not exist
++WARNING:  failed to find js function function "foo()" does not exist
+ ERROR:  ReferenceError: foo is not defined
+ DETAIL:  undefined() LINE 1:  plv8.elog(NOTICE, 'foo = ' + foo) 
+ \c
+diff --git a/plv8.cc b/plv8.cc
+index 54d4f3a..d0a81e3 100644
+--- a/plv8.cc
++++ b/plv8.cc
+@@ -1263,6 +1263,18 @@ ThrowError(const char *message) throw()
+ 	return ThrowException(Exception::Error(String::New(message)));
+ }
+ 
++static text *
++charToText(char *string)
++{
++	int len = strlen(string);
++	text *result = (text *) palloc(len + 1 + VARHDRSZ);
++
++	SET_VARSIZE(result, len + VARHDRSZ);
++	memcpy(VARDATA(result), string, len + 1);
++
++	return result;
++}
++
+ static Persistent<Context>
+ GetGlobalContext()
+ {
+@@ -1307,10 +1319,40 @@ GetGlobalContext()
+ 			Context::Scope		context_scope(global_context);
+ 			TryCatch			try_catch;
+ 			MemoryContext		ctx = CurrentMemoryContext;
++			text *arg1, *arg2;
++			FunctionCallInfoData fake_fcinfo;
++			FmgrInfo	flinfo;
++
++			char proc[NAMEDATALEN + 32];
++			strcpy(proc, plv8_start_proc);
++			strcat(proc, "()");
++			char perm[16];
++			strcpy(perm, "EXECUTE");
++			arg1 = charToText(proc);
++			arg2 = charToText(perm);
++
++			MemSet(&fake_fcinfo, 0, sizeof(fake_fcinfo));
++			MemSet(&flinfo, 0, sizeof(flinfo));
++			fake_fcinfo.flinfo = &flinfo;
++			flinfo.fn_oid = InvalidOid;
++			flinfo.fn_mcxt = CurrentMemoryContext;
++			fake_fcinfo.nargs = 2;
++			fake_fcinfo.arg[0] = CStringGetDatum(arg1);
++			fake_fcinfo.arg[1] = CStringGetDatum(arg2);
+ 
+ 			PG_TRY();
+ 			{
+-				func = find_js_function_by_name(plv8_start_proc);
++				Datum ret = has_function_privilege_name(&fake_fcinfo);
++
++				if (ret == 0) {
++					elog(WARNING, "failed to find js function %s", plv8_start_proc);
++				} else {
++					if (DatumGetBool(ret)) {
++						func = find_js_function_by_name(plv8_start_proc);
++					} else {
++						elog(WARNING, "no permission to execute js function %s", plv8_start_proc);
++					}
++				}
+ 			}
+ 			PG_CATCH();
+ 			{
diff -Nru plv8-1.4.2.ds/debian/patches/series plv8-1.4.2.ds/debian/patches/series
--- plv8-1.4.2.ds/debian/patches/series	2014-07-28 12:55:57.000000000 +0200
+++ plv8-1.4.2.ds/debian/patches/series	2017-03-23 10:58:55.000000000 +0100
@@ -5,3 +5,4 @@
 094df45dce2a879d1814b792aeb46b38f0f0ef87
 0163635ecab45ec53419b9a3ea4ea890495ce3cc
 aedc9e64ba18d591f0a4afadecc936d778282bde
+90a57729abb488bf830c2f9783353dfe353ca4f0

Christoph

Attachment: signature.asc
Description: PGP signature


Reply to: