From 9c89540227221ee9001868542fa9f8e5bdceae53 Mon Sep 17 00:00:00 2001 From: Palle Girgensohn Date: Sat, 19 Feb 2005 12:07:46 +0000 Subject: Fix security alert using a patch from PostgreSQL's CVS repository: Prevent overrunning a heap-allocated buffer if more than 1024 parameters to a refcursor declaration are specified. This is a minimally-invasive fix for the buffer overrun. Define LATEST_LINK to avoid package name clashes between the different branches of PostgreSQL. [1] (Since postgresql-tcltk is hardwired to branch 7.4, keep its LATEST_LINK to a generic value.) Set UNIQUENAME and let it be the same for server & client, so each branch's ports will share the same options file. This adds some no-op knobs to the -client port, but IMO it is better this way. Add space inside paranthesis in OSVERSION conditional to work around (ancient) make bug. [2] Remove the Rendez-Vouz knob for 8.0 since I can't find the software needed to even compile it on FreeBSD. Bump portrevision (for -server only). Noted by: kris [1] PR: ports/77530 [2] Security: http://www.vuxml.org/freebsd/6b4b0b3f-8127-11d9-a9e7-0001020eed82.html Approved by: seanc (mentor) --- .../files/patch-src-pl-plpgsql-src-gram-y | 69 ++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 databases/postgresql73-server/files/patch-src-pl-plpgsql-src-gram-y (limited to 'databases/postgresql73-server/files/patch-src-pl-plpgsql-src-gram-y') diff --git a/databases/postgresql73-server/files/patch-src-pl-plpgsql-src-gram-y b/databases/postgresql73-server/files/patch-src-pl-plpgsql-src-gram-y new file mode 100644 index 000000000000..e9d23cac61ea --- /dev/null +++ b/databases/postgresql73-server/files/patch-src-pl-plpgsql-src-gram-y @@ -0,0 +1,69 @@ +--- src/pl/plpgsql/src/gram.y 2005/01/27 01:44:42 1.39.2.1 REL7_3_9 ++++ src/pl/plpgsql/src/gram.y 2005/02/08 18:22:45 1.39.2.2 REL7_3_STABLE +@@ -4,7 +4,7 @@ + * procedural language + * + * IDENTIFICATION +- * $Header: /cvsroot/pgsql/src/pl/plpgsql/src/gram.y,v 1.39.2.1 2005/01/27 01:44:42 neilc Exp $ ++ * $Header: /cvsroot/pgsql/src/pl/plpgsql/src/gram.y,v 1.39.2.2 2005/02/08 18:22:45 tgl Exp $ + * + * This software is copyrighted by Jan Wieck - Hamburg. + * +@@ -1612,6 +1612,14 @@ read_sql_construct(int until, + } + if (plpgsql_SpaceScanned) + plpgsql_dstring_append(&ds, " "); ++ ++ /* Check for array overflow */ ++ if (nparams >= 1024) ++ { ++ plpgsql_error_lineno = lno; ++ elog(ERROR, "too many variables specified in SQL statement"); ++ } ++ + switch (tok) + { + case T_VARIABLE: +@@ -1761,6 +1769,13 @@ make_select_stmt(void) + + while ((tok = yylex()) == ',') + { ++ /* Check for array overflow */ ++ if (nfields >= 1024) ++ { ++ plpgsql_error_lineno = yylineno; ++ elog(ERROR, "too many INTO variables specified"); ++ } ++ + tok = yylex(); + switch(tok) + { +@@ -1809,6 +1824,14 @@ make_select_stmt(void) + + if (plpgsql_SpaceScanned) + plpgsql_dstring_append(&ds, " "); ++ ++ /* Check for array overflow */ ++ if (nparams >= 1024) ++ { ++ plpgsql_error_lineno = yylineno; ++ elog(ERROR, "too many variables specified in SQL statement"); ++ } ++ + switch (tok) + { + case T_VARIABLE: +@@ -1892,6 +1915,13 @@ make_fetch_stmt(void) + + while ((tok = yylex()) == ',') + { ++ /* Check for array overflow */ ++ if (nfields >= 1024) ++ { ++ plpgsql_error_lineno = yylineno; ++ elog(ERROR, "too many INTO variables specified"); ++ } ++ + tok = yylex(); + switch(tok) + { -- cgit v1.2.3