Prevent execution of enum_recv() from SQL.

This function was misdeclared to take cstring when it should take internal.
This at least allows crashing the server, and in principle an attacker
might be able to use the function to examine the contents of server memory.

The correct fix is to adjust the system catalog contents (and fix the
regression tests that should have caught this but failed to).  However,
asking users to correct the catalog contents in existing installations
is a pain, so as a band-aid fix for the back branches, install a check
in enum_recv() to make it throw error if called with a cstring argument.
We will later revert this in HEAD in favor of correcting the catalogs.

Our thanks to Sumit Soni (via Secunia SVCRP) for reporting this issue.

Security: CVE-2013-0255

diff --git a/doc/src/sgml/release-8.3.sgml b/doc/src/sgml/release-8.3.sgml
index 7d9764c9874a84e0542643562d9a4ffec9017003..43db2ad35adabea47edd42b1be65cf5c8c6edfd8 100644 (file)
--- a/doc/src/sgml/release-8.3.sgml
+++ b/doc/src/sgml/release-8.3.sgml
@@ -40,6 +40,19 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Prevent execution of <function>enum_recv</> from SQL (Tom Lane)
+     </para>
+
+     <para>
+      The function was misdeclared, allowing a simple SQL command to crash the
+      server.  In principle an attacker might be able to use it to examine the
+      contents of server memory.  Our thanks to Sumit Soni (via Secunia SVCRP)
+      for reporting this issue.  (CVE-2013-0255)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Fix SQL grammar to allow subscripting or field selection from a

diff --git a/doc/src/sgml/release-8.4.sgml b/doc/src/sgml/release-8.4.sgml
index 1d601f1c07ead3f611e87c7091090fd51294a05a..03f31e63a84a94123175c49cd3ac3edf772539a3 100644 (file)
--- a/doc/src/sgml/release-8.4.sgml
+++ b/doc/src/sgml/release-8.4.sgml
@@ -34,6 +34,19 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Prevent execution of <function>enum_recv</> from SQL (Tom Lane)
+     </para>
+
+     <para>
+      The function was misdeclared, allowing a simple SQL command to crash the
+      server.  In principle an attacker might be able to use it to examine the
+      contents of server memory.  Our thanks to Sumit Soni (via Secunia SVCRP)
+      for reporting this issue.  (CVE-2013-0255)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Update minimum recovery point when truncating a relation file (Heikki

diff --git a/src/backend/utils/adt/enum.c b/src/backend/utils/adt/enum.c
index 009c6c3f924721fb2034e3755571c10f516549d4..2f6eb2ef157d1521d4c7eb5f8fc7dfeca589898a 100644 (file)
--- a/src/backend/utils/adt/enum.c
+++ b/src/backend/utils/adt/enum.c
@@ -14,6 +14,7 @@
 #include "postgres.h"
 
 #include "catalog/pg_enum.h"
+#include "catalog/pg_type.h"
 #include "fmgr.h"
 #include "utils/array.h"
 #include "utils/builtins.h"
@@ -99,6 +100,10 @@ enum_recv(PG_FUNCTION_ARGS)
        char       *name;
        int                     nbytes;
 
+       /* guard against pre-9.3 misdeclaration of enum_recv */
+       if (get_fn_expr_argtype(fcinfo->flinfo, 0) == CSTRINGOID)
+               elog(ERROR, "invalid argument for enum_recv");
+
        name = pq_getmsgtext(buf, buf->len - buf->cursor, &nbytes);
 
        /* must check length to prevent Assert failure within SearchSysCache */