Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I would like to upload plv8 to jessie. Is that acceptable?
As per [1], a security upload is not applicable.
[1] https://www.debian.org/releases/jessie/amd64/release-notes/ch-information.en.html#libv8
diff -Nru plv8-1.4.2.ds/debian/changelog plv8-1.4.2.ds/debian/changelog
--- plv8-1.4.2.ds/debian/changelog 2014-07-28 12:58:12.000000000 +0200
+++ plv8-1.4.2.ds/debian/changelog 2017-03-23 10:59:59.000000000 +0100
@@ -1,3 +1,9 @@
+plv8 (1.4.2.ds-2+deb8u1) jessie; urgency=high
+
+ * Security bugfix picked from 1.4.9: Check for permission to call functions.
+
+ -- Christoph Berg <christoph.berg@credativ.de> Thu, 23 Mar 2017 10:59:59 +0100
+
plv8 (1.4.2.ds-2) unstable; urgency=medium
* Pull patches from upstream to support PostgreSQL 9.4.
diff -Nru plv8-1.4.2.ds/debian/patches/90a57729abb488bf830c2f9783353dfe353ca4f0 plv8-1.4.2.ds/debian/patches/90a57729abb488bf830c2f9783353dfe353ca4f0
--- plv8-1.4.2.ds/debian/patches/90a57729abb488bf830c2f9783353dfe353ca4f0 1970-01-01 01:00:00.000000000 +0100
+++ plv8-1.4.2.ds/debian/patches/90a57729abb488bf830c2f9783353dfe353ca4f0 2017-03-23 10:58:46.000000000 +0100
@@ -0,0 +1,78 @@
+diff --git a/expected/startup.out b/expected/startup.out
+index 0cd9941..0bc62d1 100644
+--- a/expected/startup.out
++++ b/expected/startup.out
+@@ -1,7 +1,7 @@
+ -- test startup failure
+ set plv8.start_proc = foo;
+ do $$ plv8.elog(NOTICE, 'foo = ' + foo) $$ language plv8;
+-WARNING: failed to find js function function "foo" does not exist
++WARNING: failed to find js function function "foo()" does not exist
+ ERROR: ReferenceError: foo is not defined
+ DETAIL: undefined() LINE 1: plv8.elog(NOTICE, 'foo = ' + foo)
+ \c
+diff --git a/plv8.cc b/plv8.cc
+index 54d4f3a..d0a81e3 100644
+--- a/plv8.cc
++++ b/plv8.cc
+@@ -1263,6 +1263,18 @@ ThrowError(const char *message) throw()
+ return ThrowException(Exception::Error(String::New(message)));
+ }
+
++static text *
++charToText(char *string)
++{
++ int len = strlen(string);
++ text *result = (text *) palloc(len + 1 + VARHDRSZ);
++
++ SET_VARSIZE(result, len + VARHDRSZ);
++ memcpy(VARDATA(result), string, len + 1);
++
++ return result;
++}
++
+ static Persistent<Context>
+ GetGlobalContext()
+ {
+@@ -1307,10 +1319,40 @@ GetGlobalContext()
+ Context::Scope context_scope(global_context);
+ TryCatch try_catch;
+ MemoryContext ctx = CurrentMemoryContext;
++ text *arg1, *arg2;
++ FunctionCallInfoData fake_fcinfo;
++ FmgrInfo flinfo;
++
++ char proc[NAMEDATALEN + 32];
++ strcpy(proc, plv8_start_proc);
++ strcat(proc, "()");
++ char perm[16];
++ strcpy(perm, "EXECUTE");
++ arg1 = charToText(proc);
++ arg2 = charToText(perm);
++
++ MemSet(&fake_fcinfo, 0, sizeof(fake_fcinfo));
++ MemSet(&flinfo, 0, sizeof(flinfo));
++ fake_fcinfo.flinfo = &flinfo;
++ flinfo.fn_oid = InvalidOid;
++ flinfo.fn_mcxt = CurrentMemoryContext;
++ fake_fcinfo.nargs = 2;
++ fake_fcinfo.arg[0] = CStringGetDatum(arg1);
++ fake_fcinfo.arg[1] = CStringGetDatum(arg2);
+
+ PG_TRY();
+ {
+- func = find_js_function_by_name(plv8_start_proc);
++ Datum ret = has_function_privilege_name(&fake_fcinfo);
++
++ if (ret == 0) {
++ elog(WARNING, "failed to find js function %s", plv8_start_proc);
++ } else {
++ if (DatumGetBool(ret)) {
++ func = find_js_function_by_name(plv8_start_proc);
++ } else {
++ elog(WARNING, "no permission to execute js function %s", plv8_start_proc);
++ }
++ }
+ }
+ PG_CATCH();
+ {
diff -Nru plv8-1.4.2.ds/debian/patches/series plv8-1.4.2.ds/debian/patches/series
--- plv8-1.4.2.ds/debian/patches/series 2014-07-28 12:55:57.000000000 +0200
+++ plv8-1.4.2.ds/debian/patches/series 2017-03-23 10:58:55.000000000 +0100
@@ -5,3 +5,4 @@
094df45dce2a879d1814b792aeb46b38f0f0ef87
0163635ecab45ec53419b9a3ea4ea890495ce3cc
aedc9e64ba18d591f0a4afadecc936d778282bde
+90a57729abb488bf830c2f9783353dfe353ca4f0
Christoph
Attachment:
signature.asc
Description: PGP signature