[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#858547: marked as done (jessie-pu: package plv8/1.4.2.ds-2+deb8u1)

Your message dated Sat, 06 May 2017 14:44:18 +0100
with message-id <1494078258.26551.13.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 8.8
has caused the Debian Bug report #858547,
regarding jessie-pu: package plv8/1.4.2.ds-2+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
858547: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858547
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I would like to upload plv8 to jessie. Is that acceptable?

As per [1], a security upload is not applicable.

[1] https://www.debian.org/releases/jessie/amd64/release-notes/ch-information.en.html#libv8

diff -Nru plv8-1.4.2.ds/debian/changelog plv8-1.4.2.ds/debian/changelog
--- plv8-1.4.2.ds/debian/changelog	2014-07-28 12:58:12.000000000 +0200
+++ plv8-1.4.2.ds/debian/changelog	2017-03-23 10:59:59.000000000 +0100
@@ -1,3 +1,9 @@
+plv8 (1.4.2.ds-2+deb8u1) jessie; urgency=high
+
+  * Security bugfix picked from 1.4.9: Check for permission to call functions.
+
+ -- Christoph Berg <christoph.berg@credativ.de>  Thu, 23 Mar 2017 10:59:59 +0100
+
 plv8 (1.4.2.ds-2) unstable; urgency=medium
 
   * Pull patches from upstream to support PostgreSQL 9.4.
diff -Nru plv8-1.4.2.ds/debian/patches/90a57729abb488bf830c2f9783353dfe353ca4f0 plv8-1.4.2.ds/debian/patches/90a57729abb488bf830c2f9783353dfe353ca4f0
--- plv8-1.4.2.ds/debian/patches/90a57729abb488bf830c2f9783353dfe353ca4f0	1970-01-01 01:00:00.000000000 +0100
+++ plv8-1.4.2.ds/debian/patches/90a57729abb488bf830c2f9783353dfe353ca4f0	2017-03-23 10:58:46.000000000 +0100
@@ -0,0 +1,78 @@
+diff --git a/expected/startup.out b/expected/startup.out
+index 0cd9941..0bc62d1 100644
+--- a/expected/startup.out
++++ b/expected/startup.out
+@@ -1,7 +1,7 @@
+ -- test startup failure
+ set plv8.start_proc = foo;
+ do $$ plv8.elog(NOTICE, 'foo = ' + foo) $$ language plv8;
+-WARNING:  failed to find js function function "foo" does not exist
++WARNING:  failed to find js function function "foo()" does not exist
+ ERROR:  ReferenceError: foo is not defined
+ DETAIL:  undefined() LINE 1:  plv8.elog(NOTICE, 'foo = ' + foo) 
+ \c
+diff --git a/plv8.cc b/plv8.cc
+index 54d4f3a..d0a81e3 100644
+--- a/plv8.cc
++++ b/plv8.cc
+@@ -1263,6 +1263,18 @@ ThrowError(const char *message) throw()
+ 	return ThrowException(Exception::Error(String::New(message)));
+ }
+ 
++static text *
++charToText(char *string)
++{
++	int len = strlen(string);
++	text *result = (text *) palloc(len + 1 + VARHDRSZ);
++
++	SET_VARSIZE(result, len + VARHDRSZ);
++	memcpy(VARDATA(result), string, len + 1);
++
++	return result;
++}
++
+ static Persistent<Context>
+ GetGlobalContext()
+ {
+@@ -1307,10 +1319,40 @@ GetGlobalContext()
+ 			Context::Scope		context_scope(global_context);
+ 			TryCatch			try_catch;
+ 			MemoryContext		ctx = CurrentMemoryContext;
++			text *arg1, *arg2;
++			FunctionCallInfoData fake_fcinfo;
++			FmgrInfo	flinfo;
++
++			char proc[NAMEDATALEN + 32];
++			strcpy(proc, plv8_start_proc);
++			strcat(proc, "()");
++			char perm[16];
++			strcpy(perm, "EXECUTE");
++			arg1 = charToText(proc);
++			arg2 = charToText(perm);
++
++			MemSet(&fake_fcinfo, 0, sizeof(fake_fcinfo));
++			MemSet(&flinfo, 0, sizeof(flinfo));
++			fake_fcinfo.flinfo = &flinfo;
++			flinfo.fn_oid = InvalidOid;
++			flinfo.fn_mcxt = CurrentMemoryContext;
++			fake_fcinfo.nargs = 2;
++			fake_fcinfo.arg[0] = CStringGetDatum(arg1);
++			fake_fcinfo.arg[1] = CStringGetDatum(arg2);
+ 
+ 			PG_TRY();
+ 			{
+-				func = find_js_function_by_name(plv8_start_proc);
++				Datum ret = has_function_privilege_name(&fake_fcinfo);
++
++				if (ret == 0) {
++					elog(WARNING, "failed to find js function %s", plv8_start_proc);
++				} else {
++					if (DatumGetBool(ret)) {
++						func = find_js_function_by_name(plv8_start_proc);
++					} else {
++						elog(WARNING, "no permission to execute js function %s", plv8_start_proc);
++					}
++				}
+ 			}
+ 			PG_CATCH();
+ 			{
diff -Nru plv8-1.4.2.ds/debian/patches/series plv8-1.4.2.ds/debian/patches/series
--- plv8-1.4.2.ds/debian/patches/series	2014-07-28 12:55:57.000000000 +0200
+++ plv8-1.4.2.ds/debian/patches/series	2017-03-23 10:58:55.000000000 +0100
@@ -5,3 +5,4 @@
 094df45dce2a879d1814b792aeb46b38f0f0ef87
 0163635ecab45ec53419b9a3ea4ea890495ce3cc
 aedc9e64ba18d591f0a4afadecc936d778282bde
+90a57729abb488bf830c2f9783353dfe353ca4f0

Christoph

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 8.8

Hi,

Each of these bugs refers to an update that was included in today's
jessie point release. Thanks!

Regards,

Adam

--- End Message ---
Reply to: