diff --git a/doc/src/sgml/release-8.3.sgml b/doc/src/sgml/release-8.3.sgml index 7d9764c9874a84e0542643562d9a4ffec9017003..43db2ad35adabea47edd42b1be65cf5c8c6edfd8 100644 --- a/doc/src/sgml/release-8.3.sgml +++ b/doc/src/sgml/release-8.3.sgml @@ -40,6 +40,19 @@ <itemizedlist> + <listitem> + <para> + Prevent execution of <function>enum_recv</> from SQL (Tom Lane) + </para> + + <para> + The function was misdeclared, allowing a simple SQL command to crash the + server. In principle an attacker might be able to use it to examine the + contents of server memory. Our thanks to Sumit Soni (via Secunia SVCRP) + for reporting this issue. (CVE-2013-0255) + </para> + </listitem> + <listitem> <para> Fix SQL grammar to allow subscripting or field selection from a diff --git a/src/backend/utils/adt/enum.c b/src/backend/utils/adt/enum.c index fc4e604bf609661090153bb0f28646b5252e2f0d..7890dd68460853f24a8043d53891672019234514 100644 --- a/src/backend/utils/adt/enum.c +++ b/src/backend/utils/adt/enum.c @@ -14,6 +14,7 @@ #include "postgres.h" #include "catalog/pg_enum.h" +#include "catalog/pg_type.h" #include "fmgr.h" #include "utils/array.h" #include "utils/builtins.h" @@ -99,6 +100,10 @@ enum_recv(PG_FUNCTION_ARGS) char *name; int nbytes; + /* guard against pre-9.3 misdeclaration of enum_recv */ + if (get_fn_expr_argtype(fcinfo->flinfo, 0) == CSTRINGOID) + elog(ERROR, "invalid argument for enum_recv"); + name = pq_getmsgtext(buf, buf->len - buf->cursor, &nbytes); /* must check length to prevent Assert failure within SearchSysCache */