Bug 1188684 (CVE-2015-0241)

Summary: CVE-2015-0241 postgresql: buffer overflow in the to_char() function
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cperry, dajohnso, gmccullo, hhorak, jhardy, jorton, jprause, jvlcek, kvolny, mmaslano, praiskup, security-response-team, xlecauch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: postgresql 9.0.19, postgresql 9.1.15, postgresql 9.2.10, postgresql 9.3.6, postgresql 9.4.1 Doc Type: Bug Fix
Doc Text:
A buffer overflow flaw was found in the way PostgreSQL handled certain numeric formatting. An authenticated database user could use a specially crafted timestamp formatting template to cause PostgreSQL to crash or, under certain conditions, execute arbitrary code with the permissions of the user running PostgreSQL.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-20 10:49:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1192909, 1192910, 1198651, 1198652, 1198653, 1198654, 1198663, 1198672, 1198673, 1198733    
Bug Blocks: 1188677    

Description Martin Prpič 2015-02-03 14:22:00 UTC 
The PostgreSQL project reports the following issue:

When to_char() processes a numeric formatting template calling for a large number of digits, PostgreSQL would read past the end of a buffer. When processing a crafted timestamp formatting template, PostgreSQL would write past the end of a buffer. Either case could crash the server. We have not ruled out the possibility of attacks that lead to privilege escalation, though they seem unlikely.

Acknowledgements:

Red Hat would like to thank the PostgreSQL project for reporting this issue. Upstream acknowledges Andres Freund, Peter Geoghegan, Bernd Helmle, and Noah Misch as the original reporters.
Comment 1 Huzaifa S. Sidhpurwala 2015-02-16 05:16:48 UTC 
External References:

http://www.postgresql.org/about/news/1569/
Comment 2 Huzaifa S. Sidhpurwala 2015-02-16 06:20:47 UTC 
Upstream commit:

https://github.com/postgres/postgres/commit/0150ab567bcf5e5913e2b62a1678f84cc272441f
Comment 3 Huzaifa S. Sidhpurwala 2015-02-16 06:52:57 UTC 
This issue was addressed in Fedora 20 and Fedora 21 via the following security advisories:

https://admin.fedoraproject.org/updates/FEDORA-2015-1728/postgresql-9.3.6-1.fc20
https://admin.fedoraproject.org/updates/FEDORA-2015-1745/postgresql-9.3.6-1.fc21
Comment 12 errata-xmlrpc 2015-03-18 16:36:13 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS

Via RHSA-2015:0699 https://rhn.redhat.com/errata/RHSA-2015-0699.html
Comment 13 errata-xmlrpc 2015-03-30 11:31:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:0750 https://rhn.redhat.com/errata/RHSA-2015-0750.html
Comment 14 errata-xmlrpc 2015-04-20 09:46:31 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite Server v 5.7

Via RHSA-2015:0856 https://rhn.redhat.com/errata/RHSA-2015-0856.html