Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle 9i DB Security Hole

Re: Oracle 9i DB Security Hole

From: Serge Rielau <srielau_at_ca.ibm.com>
Date: Fri, 19 Apr 2002 08:14:32 -0400
Message-ID: <3CC00A28.A05CFBBD@ca.ibm.com>


Hi Nuno,

If Oracle's compiler logic is anywhere close to how DB2's works I can very well understand how such a bug occurs and reaches production. It is not obvious that adding a new SQL operator in a parse tree (or Query Graph Model in the DB2 case) can impact authorization checking for base objects. For that reason it can happen that QA simply didn't plan for it. Black box testing carries you only that far, and for good white box testing you need very senior technical people (who tend to be bottlenecks) having a good day.

I'd be the last to throw a stone on that one. Sooner or later it may be IBM's or (count my blessings) even my turn.

Nonetheless Oracle would be wise to retire their "Unbreakable" marketing campaign.
Mortality is just too obvious now and the competition will likely and happily point that out in case they forget about it ever again :-)

Cheers
Serge

--
Serge Rielau
DB2 UDB SQL Compiler Development
IBM Software Lab, Canada
Received on Fri Apr 19 2002 - 07:14:32 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US