Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi, I would like to upload plv8 to jessie. Is that acceptable? As per [1], a security upload is not applicable. [1] https://www.debian.org/releases/jessie/amd64/release-notes/ch-information.en.html#libv8 diff -Nru plv8-1.4.2.ds/debian/changelog plv8-1.4.2.ds/debian/changelog --- plv8-1.4.2.ds/debian/changelog 2014-07-28 12:58:12.000000000 +0200 +++ plv8-1.4.2.ds/debian/changelog 2017-03-23 10:59:59.000000000 +0100 @@ -1,3 +1,9 @@ +plv8 (1.4.2.ds-2+deb8u1) jessie; urgency=high + + * Security bugfix picked from 1.4.9: Check for permission to call functions. + + -- Christoph Berg <christoph.b...@credativ.de> Thu, 23 Mar 2017 10:59:59 +0100 + plv8 (1.4.2.ds-2) unstable; urgency=medium * Pull patches from upstream to support PostgreSQL 9.4. diff -Nru plv8-1.4.2.ds/debian/patches/90a57729abb488bf830c2f9783353dfe353ca4f0 plv8-1.4.2.ds/debian/patches/90a57729abb488bf830c2f9783353dfe353ca4f0 --- plv8-1.4.2.ds/debian/patches/90a57729abb488bf830c2f9783353dfe353ca4f0 1970-01-01 01:00:00.000000000 +0100 +++ plv8-1.4.2.ds/debian/patches/90a57729abb488bf830c2f9783353dfe353ca4f0 2017-03-23 10:58:46.000000000 +0100 @@ -0,0 +1,78 @@ +diff --git a/expected/startup.out b/expected/startup.out +index 0cd9941..0bc62d1 100644 +--- a/expected/startup.out ++++ b/expected/startup.out +@@ -1,7 +1,7 @@ + -- test startup failure + set plv8.start_proc = foo; + do $$ plv8.elog(NOTICE, 'foo = ' + foo) $$ language plv8; +-WARNING: failed to find js function function "foo" does not exist ++WARNING: failed to find js function function "foo()" does not exist + ERROR: ReferenceError: foo is not defined + DETAIL: undefined() LINE 1: plv8.elog(NOTICE, 'foo = ' + foo) + \c +diff --git a/plv8.cc b/plv8.cc +index 54d4f3a..d0a81e3 100644 +--- a/plv8.cc ++++ b/plv8.cc +@@ -1263,6 +1263,18 @@ ThrowError(const char *message) throw() + return ThrowException(Exception::Error(String::New(message))); + } + ++static text * ++charToText(char *string) ++{ ++ int len = strlen(string); ++ text *result = (text *) palloc(len + 1 + VARHDRSZ); ++ ++ SET_VARSIZE(result, len + VARHDRSZ); ++ memcpy(VARDATA(result), string, len + 1); ++ ++ return result; ++} ++ + static Persistent<Context> + GetGlobalContext() + { +@@ -1307,10 +1319,40 @@ GetGlobalContext() + Context::Scope context_scope(global_context); + TryCatch try_catch; + MemoryContext ctx = CurrentMemoryContext; ++ text *arg1, *arg2; ++ FunctionCallInfoData fake_fcinfo; ++ FmgrInfo flinfo; ++ ++ char proc[NAMEDATALEN + 32]; ++ strcpy(proc, plv8_start_proc); ++ strcat(proc, "()"); ++ char perm[16]; ++ strcpy(perm, "EXECUTE"); ++ arg1 = charToText(proc); ++ arg2 = charToText(perm); ++ ++ MemSet(&fake_fcinfo, 0, sizeof(fake_fcinfo)); ++ MemSet(&flinfo, 0, sizeof(flinfo)); ++ fake_fcinfo.flinfo = &flinfo; ++ flinfo.fn_oid = InvalidOid; ++ flinfo.fn_mcxt = CurrentMemoryContext; ++ fake_fcinfo.nargs = 2; ++ fake_fcinfo.arg[0] = CStringGetDatum(arg1); ++ fake_fcinfo.arg[1] = CStringGetDatum(arg2); + + PG_TRY(); + { +- func = find_js_function_by_name(plv8_start_proc); ++ Datum ret = has_function_privilege_name(&fake_fcinfo); ++ ++ if (ret == 0) { ++ elog(WARNING, "failed to find js function %s", plv8_start_proc); ++ } else { ++ if (DatumGetBool(ret)) { ++ func = find_js_function_by_name(plv8_start_proc); ++ } else { ++ elog(WARNING, "no permission to execute js function %s", plv8_start_proc); ++ } ++ } + } + PG_CATCH(); + { diff -Nru plv8-1.4.2.ds/debian/patches/series plv8-1.4.2.ds/debian/patches/series --- plv8-1.4.2.ds/debian/patches/series 2014-07-28 12:55:57.000000000 +0200 +++ plv8-1.4.2.ds/debian/patches/series 2017-03-23 10:58:55.000000000 +0100 @@ -5,3 +5,4 @@ 094df45dce2a879d1814b792aeb46b38f0f0ef87 0163635ecab45ec53419b9a3ea4ea890495ce3cc aedc9e64ba18d591f0a4afadecc936d778282bde +90a57729abb488bf830c2f9783353dfe353ca4f0 Christoph
signature.asc
Description: PGP signature