Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle 9i DB Security Hole
Hi Nuno,
If Oracle's compiler logic is anywhere close to how DB2's works I can very well understand how such a bug occurs and reaches production. It is not obvious that adding a new SQL operator in a parse tree (or Query Graph Model in the DB2 case) can impact authorization checking for base objects. For that reason it can happen that QA simply didn't plan for it. Black box testing carries you only that far, and for good white box testing you need very senior technical people (who tend to be bottlenecks) having a good day.
I'd be the last to throw a stone on that one. Sooner or later it may be IBM's or (count my blessings) even my turn.
Nonetheless Oracle would be wise to retire their "Unbreakable" marketing
campaign.
Mortality is just too obvious now and the competition will likely and happily
point that out in case they forget about it ever again :-)
Cheers
Serge
-- Serge Rielau DB2 UDB SQL Compiler Development IBM Software Lab, CanadaReceived on Fri Apr 19 2002 - 07:14:32 CDT